On 12/8/24 08:07, Michael wrote:
> Nice to hear you got your system up & running. If you need/prefer to
run with
> Secure Boot enabled, have a look at this guide to help you setting it up.
>
> https://wiki.gentoo.org/wiki/Secure_Boot
There's some recent news in relation to Secure Boot that should be
considered: A number of major PC vendors have been shipping
untrusted Platform Keys (PKs) for a long time[1].
I haven't dug into this in too much depth yet, but if you
are not removing factory keys and only using your own
there is a good chance that you are vulnerable.
Worse, even if you remove those keys, a factory reset will
restore them.
There is a tool available to scan firmware bins[2] to see
if your firmware is impacted. It's obviously advertising for
the firm hosting it so take that as you will.
You can also scan EFI variables:
> Devices affected by PKfail will have the Platform Key certificate's
> subject and issuer fields containing the string DO NOT TRUST or DO NOT
> SHIP.
```
# efi-readvar -v PK
Variable PK, length 862
PK: List 0, type X509
Signature 0, size 834, owner 26dc4851-195f-4ae1-9a19-fbf883bbb35e
Subject:
CN=DO NOT TRUST - AMI Test PK
Issuer:
CN=DO NOT TRUST - AMI Test PK
```
TL;DR - If you use the default keys you're potentially vulnerable.
If you want to use Secure Boot you should be purging the
manufacturer's PK and installing your own regardless.
1:
https://github.com/binarly-io/Vulnerability-REsearch/blob/main/PKfail/BRLY-2024-005.md
2: https://pk.fail/
