Microsoft will take nearly a year to finish patching new 0-day Secure Boot bug
Fix will eventually render all kinds of older Windows boot media unbootable.
This is going to be painful for some, if not a lot of people.
PSA: Windows Secure Boot fix will render old boot media and backups unbootable
- Thread starter igor_kavinski
- Start date
This is going to be painful for some, if not a lot of people.
VirtualLarry
No Lifer
- Aug 25, 2001
- 56,570
- 10,203
- 126
OUCH!
I have literally boxes full of Linux ISOs to boot from. Are they saying that those will no longer boot, either? MS is blacklisting their EFI loader, presumably by loading revocation files into the BIOS, no? Does that then ONLY allow the MS loader, or also Linux still? Is the Linux loader signed with the compromised MS key that's being revoked?
Also, in the most extreme / worst-case, can we, as users, STILL remove Secure Boot keys/files from BIOS (including the added revocation files), and/or DISABLE Secure Boot, in order to "boot legacy"?
I don't think they are touching the BIOS. Only the EFI partition (the 100MB hidden one).
Seems like a lot of manual crap to do to enable the mitigations. Hope they release an automated tool.
Seems like a lot of manual crap to do to enable the mitigations. Hope they release an automated tool.
VirtualLarry
No Lifer
- Aug 25, 2001
- 56,570
- 10,203
- 126
If that were true, then how would it rendered previously bootable boot media unbootable? I'm pretty sure that they are loading the revocation certs for MS's previous EFI bootloader (that had the exploits) into the BIOS, so future attempt to boot with that bootloader, on that PC/motherboard, fail cert checks.
The question is, does that revoke the key that prior Linux bootloaders used?
From the Microsoft page:
Once that policy file is copied to the EFI partition, all future boot managers will be verified against that. That means previous boot media and likely Linux ISOs/media will fail to boot because THEIR boot managers will be validated against that new policy file. To get them to boot, you would need to clear the EFI partition of your SSD/HDD, at which point the bootable media's temporary EFI partition will be used and it would then boot. That's how I understand it.
In case anyone needs their head spinning:
UEFI boot: how does that actually work, then?
It's AdamW Essay Time again! If you're looking for something short and snappy, look elsewhere. Kamil Paral kindly informs me I'm a chronic sufferer of Graphomania. Always nice to know what's wrong wit
www.happyassassin.net
The EFI System Partition and the Default Boot Behavior
A lot of the time, we talk about creating a partition to serve as the EFI System Partition. This partition is mandated by the UEFI specification for several tasks. Adam covered what’s going on at a relatively high level on his recent blog post, and you should read the whole thing: (from Adam...
blog.uncooperative.org
- Sep 13, 2008
- 8,048
- 2,991
- 146
Does this at all affect those who don't have secure boot enabled? Also, to my knowledge, the article got at least one thing wrong. Secure boot isn't required on Windows 11, it just needs to be supported by firmware settings/hardware. Or did they change this recently?
How to enable Secure Boot on PC to install Windows 11
Windows 11 requires Secure Boot, and in this guide, we'll show you how to check and enable the feature.
www.windowscentral.com
They seem to think it must be enabled. I didn't mess with the default BIOS settings on my Z790 mobo before installing Win11 so maybe they have secure boot enabled by default.
- Sep 13, 2008
- 8,048
- 2,991
- 146
https://support.microsoft.com/en-us...ure-boot-a8ff1202-c0d9-42f5-940f-843abef64fad from MS suppport. Looks there is a lot of misinformation out there saying otherwise, however.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 24K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes Discussion Threads
- Started by Tigerick
- Replies: 20K
-
-
-
Facebook
Twitter