You ... have gained the ability to use secure boot?
Validating the integrity of the operating system using code stored as part of the operating system doesn't buy you anything - a prospective virus writer would just make sure to patch that checking code as well. You need to check integrity from outside that sandbox for it to be meaningful.
While the bios code does run on the same CPU as everything else, the important part is that it runs first - and the correct way of handling the keystore is to prevent it from being written to once non-bios code has started executing.
jbri|14 years ago
Validating the integrity of the operating system using code stored as part of the operating system doesn't buy you anything - a prospective virus writer would just make sure to patch that checking code as well. You need to check integrity from outside that sandbox for it to be meaningful.
While the bios code does run on the same CPU as everything else, the important part is that it runs first - and the correct way of handling the keystore is to prevent it from being written to once non-bios code has started executing.