hey OEMs, here is specification for you
"If the UEFI loader just stops and tells me this has changed"
Close, except that UEFI has no notion of "changed" - it has a notion of "known signature". And I want actual mechanical switch(es), with no programmatic override of any kind, to allow adding new signatures to UEFI.
So, let's say I'm starting freshly installed Linux distribution (of freshly built kernel) which happens to use signed boot image (distribution key or my own). Start screen presents me with a warning about unrecognized signature of a boot image. My options are:
2. *only if RED mechanical switch is enabled* - import signature of that image into UEFI so no further warnings will be displayed. BIOS password will be required (if set).
3. *only if BLUE mechanical switch is enabled* - ignore and boot anyway
4. open BIOS settings (password required as usual) and disable signature check if BLUE mechanical switch is enabled
Another scenario is loading non-signed boot image (e.g. Windows 7) , start screen presents me with a warning about absent signature of a boot image. My options are:
2. *only if BLUE mechanical switch is enabled* - ignore and boot anyway
3. open BIOS settings (password required as usual) and disable signature check if BLUE mechanical switch is enabled
BIOS options required - just one:
1. skip signature check if BLUE mechanical switch is enabled.
No such BIOS option: "import new signatures" - enabled via RED mechanical switch only
Also no such BIOS option: "ignore check and boot anyway" - enable via BLUE mechanical switch only
Meaning no malware can manipulate these settings, but users with a clue can. Malware could manipulate one BIOS setting (above) but for it to be effective, BLUE mechanical switch must be enabled anyway so (l)user "cooperation" is required.
Clueless masses would only be able to boot from valid signed image, but anyone versed will be able to install any signature to UEFI or disable check completely. This should also work for corporations since skipping the check would involve opening the box or BIOS password; there is support staff to install keys in UEFI initially if required (e.g. on a Linux server or desktop). There is cost side of installing two mechanical switches, but I think motherboard vendors would love to sell two switches at the cost of $0.02 each for premium of $10 (could be done with one, but it makes it ambiguous, which is bad for security so smaller premium for vendor!).
Anyone welcome to use above specification, I claim no rights to it!