Skip to content

[post-launch] chipsec first-boot validation as portable service (ADR-010) #24

Open
Open
[post-launch] chipsec first-boot validation as portable service (ADR-010)#24
Labels
post-launchPost-launch / future worksecuritySecurity hardening and cryptographic changes

Description

@foil-copy-overrate
foil-copy-overrate
opened on Jun 25, 2026

Post-launch research / implementation item. See ADR-010 (DPS over /etc/fstab).

Run chipsec at first boot to detect Absolute Persistence (Computrace) in the PCR event log and other firmware-level anomalies. Package as a DPS-compliant portable service (RootImage=, Verity+PKCS#7 signed GPT image) so it doesn't touch the immutable /usr.

Actions:

  • Research chipsec portable service packaging
  • Build chipsec GPT image with Verity+PKCS#7 signature
  • Run at first boot; report results to journal
  • Gate yubiOS-enroll.service on clean chipsec result (or warn)

ADR: ADR-010

Metadata

Metadata

Assignees

No one assigned

    Labels

    post-launchPost-launch / future worksecuritySecurity hardening and cryptographic changes

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions