Consider the following machine:
- Dual Boots to two OSes, OS "A" and OS "B"
- OS "A" is trusted
- The bios is trusted.
- The root partition of OS "A" is encrypted
- OS "A" doesn't support secure boot
- OS "B" is not trusted.
- shim/refind is installed with secure boot enabled for both
I want to make it so if OS "A" tampers with OS "B" I can find out when running refind.
My idea is to modify the refind source code so that in the menu screen it will print the sha256 hash of each file in the EFI boot directory of OS "B", as well as a combined hash of all the individual hashes.
I think this will allow me to guard against tampering, because if I run OS "A", then afterwards, I can examine the hash of OS "B" within refind to check if it changed.
Is there a flaw in this reasoning?
