Well this scenario basically needs full secure boot
Yes, that would be the best option. Have you considering to crowd-fund such development work? I think there is a large demand for secure boot.
to setup the allowed boot devices in the BIOS and protect the BIOS of the device
Thanks, I appreciate any idea, even ideas that are not secure, but just makes it harder to break the system. However protecting the BIOS does not prevent anyone from just mounting the disk in a different PC and everything is then open.
To protect persistent data I was considering something like:
- store all persistent data in one or more encrypted files.
- use TPM to store the encryption/decryption key
- In the docker application container: access the TPM to get the encryption/decryption key.
But is this approach possible and what would it be worth?
I understand that the code that retrieves the encryption/decryption key could be tampered with.
But maybe it’s worth something, if it is obscure enough?