I’m happy with my NitroPC, the only thing I wonder about is how to secure the initial boot with coreboot/tianocore(?) with a password. Is this possible ? If not, please implement it.
Thread model is rather a random bypasser trying to boot from usbstick i.e., than a more sophisticate attack.
We are aware of this drawback and it is due to the feature not being supported (properly) inside Tianocore.
Concerning the threat model, booting from a stick should not be a problem as your entire hard-disk is encrypted, means even if someone boots into a live-system there still will be no access possible to your data.
Still as you mentioned the evil-maid scenario can happen, but is more sophisticated as you say.
who are “we” in this case ? Nitrokey ?
Is there any motion to add this ? I’m a complete noob to tianocore but it looks like there’s basic support for that (https://bugzilla.tianocore.org/show_bug.cgi?id=1545), so I wonder what’s the blocker of using this ? Are there are any plans to add this basic security feature to the nitroPC firmware ?
Or can you link any issue that Nitrokey came across implementing this ?
To be clear: I’m super happy about having a modern NUC supporting coreboot/tianocore, it’s just that I just asked myself how much security I gained and how much I lost from not beeing able to prevent the evil-maid attack in comparism to a common vendor UEFI.
Thanks, good to hear it’s on your list.
Another, unrelated issue: I miss the ability to auto-power-on the NitroPC after power failure.
Reason is I use it as a small server in a basement rack, and it should resume unattended after power failure. Where’s the best place to reuest such features ?