Ambiguities in intel_boot_guard.md

[wmjdgla]

Terminology in the diagram does not match that used in page. I suppose "Key Hash" refer's to the diagram's "Hash (Master Public Key)" and "Key Manifest Key" refers to "Dell Online PubKey"? I think the page should map the diagram's terms to its own terms to make things clearer.

Currently "ACM IBB Verification" section is located before the "Microcode ACM Verification" section. However ACM verification is performed before IBB verification. Thus it would be clearer if the order of the two sections is swapped.

The UDI here is the firmware IBB, so only the IBB needs to be signed.

Boot Policy Manifest – It records the hash of IBB and is signed by the Key Manifest Key.

If IBB is signed then why does Boot Policy Manifest record the hash of IBB rather than that of the signing key?

Key Manifest – It records a set of hashes for the public key pair which signs the Boot Policy Manifest, and it is signed Boot Guard Key.

"Boot Guard Key" is never mentioned anywhere else on the page and I was initially led to believe that it's unrelated to "Key Hash". Since "Key Hash" is referring to the hash of the "Boot Guard Key", then "Key Hash" should be renamed to "Boot Guard Key Hash" to avoid ambiguity.

If the verification fails, the TXT shutdown is signaled.

I suppose "TXT" is referring to Intel Trusted Execution Technology. This has never been mentioned before this page and the acronym is used here with no explanation or context. I think it should either be removed or be expanded upon if it is to remain.

To make sure the whole OEM Firmware is unmodified, the IBB needs to verify the reset OEM boot block (OBB)."

What is a "reset OEM boot block"? How is it different from a normal OBB?

The UDI is OBB, which is not verified by IBB."

I suppose the "not" is a typo?