• Coreboot cannot (currently) ship binaries.
  • SquashFS needs work.
  • Proprietary Firmware is involved. So we cannot ship binaries.
  • Cannot read a binary once it is burned in. Or if I can, how can I enssure that what I “read” is really what is installed?
  • We want to have assurance of trust.
  • Checking that the firmware in flash, is what I wrote into flash?
  • If I buy from a vendor how do I know the vendor hasn’t put “bad” firmware in it?
  • Can we trust the storage?
  • I can check the integrity of a hard disk by mounting it read-only on a trusted machine. But how can I check a flash EEprom on a trusted machine?
  • Currently coreboot does not publish any hashes. Should they publish hashes for standard configurations?
  • We should encourage third party vendors to publish hashes of firmware shipped with hardware.
  • Coreboot should be encouraged to publish hashes for a select number of standard configurations/boards.