Is it even possible to unlock it with the signing key? Saying it's fused implies it's a one time thing, doesn't it?
I had the same initial reaction though. It seems like something that makes more sense as a jumper or something that can be reset by jumper so physical access becomes the requirement.
The only reason I can think of to do it as described is to kill the secondary market or, even worse, to maintain a lifetime licensing requirement on the system. If the signing keys can expire like signing certificates I expect step 2 will be custom signed firmware via a cloud portal where no license means no signing. I hope I'm wrong, but that's likely the endgame here.
TLDR; If the signature on the BIOS can expire, it's more nefarious than it sounds IMO.
You have to use on-die fuses to get most of the security benefit vs someone in customs who has a few hours alone with your server, as jumpers can be trivially modified to look like they are set/unset when they are not.
The header pins can be varnished (or other techniques) so they do not conduct, but they still look normal. To set a pin, 36GA wire between the plastic of the header and the PCB would do the trick. If the adversary had a particularly high budget, they could fabricate and install a header that would even pass inspection by a multi-meter's continuity check by making the outer part of the pins be electrically isolated from the inner, except where it contacts the PCB, where the attackers choice of conductivity is made.
I don't think anyone has come up with a good way to downgrade the CPU from secure operation to insecure without also creating a way to bypass it for an attacker. The only way I can think of is if there was a revocation of secure mode that put the CPU serial number on a public list, then after a week, the CPU blew a fuse allowing it to boot in insecure mode. It will allow enterprises to be assured that the computers they are sending all over the globe are untampered, but still allow people who don't care to get them second hand and not be stuck with the rest of the computer. The hard part is making sure the CPU can only blow that fuse after it gets an ack that its been a week. Ideally, there would be some way for the CPU to attest which mode its running in so secondary audits of the CPU's state can be performed.
I don't think this is supposed to secure against someone with physical access.
If they have physical access and are replacing the BIOS, they could just replace the CPU at the same time with a fresh unlocked one that will lock itself to the replacement's signing key on first boot.
That makes a lot of sense. I was really only considering things like persistent malware that flashes the BIOS. I still think it'll get abused eventually to devalue the second hand market, but I can see the appeal security wise.
I had the same initial reaction though. It seems like something that makes more sense as a jumper or something that can be reset by jumper so physical access becomes the requirement.
The only reason I can think of to do it as described is to kill the secondary market or, even worse, to maintain a lifetime licensing requirement on the system. If the signing keys can expire like signing certificates I expect step 2 will be custom signed firmware via a cloud portal where no license means no signing. I hope I'm wrong, but that's likely the endgame here.
TLDR; If the signature on the BIOS can expire, it's more nefarious than it sounds IMO.