what has been done when some rogue government agency demands all of there "analytics" under some secret warrant or fishing letter.
TFTFY
Just because I'm 40 years old and can't run an iron man anymore....
"anymore"? Dude this is Slashdot, 99% of us couldn't run down the road, pictures or GTFO.
...they may have made some implementation faults that will allow an attacker to falsely keep their checks happy while still modifying boot files.
Well that to.
The key is probably only useful for signing firmware, probably only for this vendor and possibly only for this chipset, maybe even a single main board.
TFA implies it was for "Ivy bridge" so yeah probably tied to chipset, maybe multiple boards but the point is they've demonstrated something arguably close to gross incompetence, misplacing source code is careless, misplacing the signing key is a different league. This is a commercial product how hard would it be to have the key in two parts, held by two individuals on the dev/release team?
This system is built purely on trust and its gone, I mean, yeah "I'm sure they'll be more careful next time" but sarcasm aside there's no real way for them to demonstrate that.
The truly paranoid might even point out that if someone with the means found the FTP server first they could already have trojaned AMI's build servers (running AMI bioses no doubt) with a root kit tainted bios that produced new tainted bioses during compilation and lo' all AMI bios forever after are hence tainted in a never ending FUBAR circle of doom!!!
With three entire exclamation marks and all assuming it's genuine.
He has not acquired a fortune; the fortune has acquired him. -- Bion