ESET researchers discovered 11 vulnerable UEFI shim bootloaders signed by Microsoft that allow attackers to bypass UEFI Secure Boot by exploiting decade-old vulnerabilities.
I’d argue this is actually a popular opinion. IMO secureboot has just become a way for Microsoft to leverage it’s position and keep a strangle hold on industries they have no business being in.
The whole kernel level anti-cheat on win11 bullshit in the gaming industry is a good example. Essentially locking games to its platform and willing to sacrifice security to do so at our expense.
This is especially true on computers where it is impossible to change the signing keys. Smartphones, game consoles, many laptops, some desktops, smart TVs, IoT devices, modern cars, etc.
What problem does it create? Its a good tech and we absolutely should be cryptographically verifying the boot process to ensure it hasnt been tampered with.
Because it’s proprietary and in 99% of cases actually means “Windows Boot”, and isn’t very compatible with other OS. Windows is basically in charge of the entire technology and doesn’t have a history of being friendly to other OS.
For a while Linux was completely blocked by this setting, which was yet another technical barrier to getting into Linux because you had to fuck around in your scary UEFI settings otherwise your PC would be soft-bricked after installing Linux. Nowadays it’s slightly supported by some distributions but Microsoft could of course change it at any time.
The way it should work is that during the OS install the OS can ask to have a cert added to the keystore at which point UEFI pops up a screen that says something like:
An application has requested to add a new certificate to secure boot which will allow new software to run at boot up. This usually happens when installing or updating an OS. If you would like to allow this press and hold <5 randomly selected letters> on the keyboard for 5 seconds. If you don’t want to allow this press and hold escape for 3 seconds.
This would at least be a vendor agnostic way of enrolling certificates instead of the MS certificate just always being pre-installed. It should also of course be publicly documented exactly how the process works so everyone can use it.
Problem being, of course, that you can add more certificates, but you can’t revoke the original M$ one. And since it’s vulnerable and you can’t get rid, then these exploits still work and there’s nothing you can do to stop it.
Computers shouldn’t come with Microsoft keys preinstalled to begin with (or an operating system for that matter). Microsoft being able to have Windows preinstalled on the vast majority of non-Apple PCs is how they gained their monopoly in the first place.
Unpopular opinion but I’m dying on this hill. Secure boot creates more problems than it solves.
I’d argue this is actually a popular opinion. IMO secureboot has just become a way for Microsoft to leverage it’s position and keep a strangle hold on industries they have no business being in.
The whole kernel level anti-cheat on win11 bullshit in the gaming industry is a good example. Essentially locking games to its platform and willing to sacrifice security to do so at our expense.
This is especially true on computers where it is impossible to change the signing keys. Smartphones, game consoles, many laptops, some desktops, smart TVs, IoT devices, modern cars, etc.
Only in tech circles, it says secure and that’s enough for most people.
Outside of tech circles most people think secure boot looks something like this
What problem does it create? Its a good tech and we absolutely should be cryptographically verifying the boot process to ensure it hasnt been tampered with.
Because it’s proprietary and in 99% of cases actually means “Windows Boot”, and isn’t very compatible with other OS. Windows is basically in charge of the entire technology and doesn’t have a history of being friendly to other OS.
For a while Linux was completely blocked by this setting, which was yet another technical barrier to getting into Linux because you had to fuck around in your scary UEFI settings otherwise your PC would be soft-bricked after installing Linux. Nowadays it’s slightly supported by some distributions but Microsoft could of course change it at any time.
Further reading: https://wiki.ubuntu.com/UEFI/SecureBoot
The way it should work is that during the OS install the OS can ask to have a cert added to the keystore at which point UEFI pops up a screen that says something like:
This would at least be a vendor agnostic way of enrolling certificates instead of the MS certificate just always being pre-installed. It should also of course be publicly documented exactly how the process works so everyone can use it.
Universal Blue distros do that. For some reason you need to enter a password though.
Problem being, of course, that you can add more certificates, but you can’t revoke the original M$ one. And since it’s vulnerable and you can’t get rid, then these exploits still work and there’s nothing you can do to stop it.
Computers shouldn’t come with Microsoft keys preinstalled to begin with (or an operating system for that matter). Microsoft being able to have Windows preinstalled on the vast majority of non-Apple PCs is how they gained their monopoly in the first place.
You should be able to remove any or all the certs as well, although I could see an argument for requiring you to enter the BIOS to do that.
Was it ever popular?
Popular is the wrong question, the correct question is, how many machines is this default on.