Hundreds of UEFI products from 10 vendors are susceptible to compromise due to a critical firmware supply-chain issue known as PKfail, which allows attackers to bypass Secure Boot and install malware.
Sounds like this is completely about the preloaded PKs, so if you set up your own secure boot with your own keys then you’re probably fine because you would have cleared out the OEM keys right?
If the bios is locked you can’t modify the enrolled keys - that’s the point. The guide you linked assumes the bios is already set to enroll mode, which requires unlocking it.
The result is that without the bios password (or a bios in default state) you can’t change the settings.
I have my laptop set to only allow booting internal drives and to verify with my own enrolled keys. The only way to bypass it is to use something like ventoy is to unlock the bios and use the one-time boot menu or to enroll their key or sign ventoy with your own key.
Yeah, unfortunately the default state is always to allow enrollment of keys. Think about the thousands of enterprise devices which just got a BIOS password from the IT Dept. And the only change they made to the BIOS was the PXE Boot as a first option. As long as they never disable booting from the USB devices, it will enroll the keys. HP even allows you to get to the Boot Menu and sort of a pre-BIOS menu in the newer devices still with a BIOS password and lock set up.
And I have first hand witnessed way too many to count instances where that is the case.
No matter what vendor, HP, Dell or Lenovo (the 3 main ones used in the enterprise world) allow the enrollment of keys by default, with a locked BIOS by default.
Source: I’m the sysAdmin at a R2 recycler and regularly get thousands of laptops to play with.
Hmm that’s very surprising. Secure boot setup mode is entirely just to enable or disable enrollment of keys, so being able to enroll keys with setup mode off and the bios locked is bizarre. I can say that my dell (xps 9560) does not behave that way - I have to enter bios and explicitly enable setup mode to enroll keys, and setup mode automatically switches back off once you enroll.
If you restore the BIOS to the default settings using the button on the left-most side in the BIOS, and then setup an Administrator password in the Security tab, you’d be able to verify yourself by using a Ventoy flash drive if you want.
Also I feel is important to mention that your BIOS password for that one model of XPS you have can be reset by generating a master key, so I really recommend turning on an option that I cannot remember the name of from the tip of my tongue, but it disables the “master password”, with the disadvantage that if you forget your BIOS password you’d have to replace the motherboard. If I find the name I’ll link it right here.
Edit1:
The option is called Master Password Lockout.
Edit2:
Is worth noting also that resetting the BIOS to default settings and erasing your secure boot keys might render your system unbootable if you use Windows BitLocker.
Sounds like this is completely about the preloaded PKs, so if you set up your own secure boot with your own keys then you’re probably fine because you would have cleared out the OEM keys right?
Right?
UEFI is such a fucking shit show
What’s the point? If even in BIOS locked systems, any user can enroll their own keys and boot off any drive lol
For example: see ventoy documentation.
If the bios is locked you can’t modify the enrolled keys - that’s the point. The guide you linked assumes the bios is already set to enroll mode, which requires unlocking it.
The result is that without the bios password (or a bios in default state) you can’t change the settings.
I have my laptop set to only allow booting internal drives and to verify with my own enrolled keys. The only way to bypass it is to use something like ventoy is to unlock the bios and use the one-time boot menu or to enroll their key or sign ventoy with your own key.
Yeah, unfortunately the default state is always to allow enrollment of keys. Think about the thousands of enterprise devices which just got a BIOS password from the IT Dept. And the only change they made to the BIOS was the PXE Boot as a first option. As long as they never disable booting from the USB devices, it will enroll the keys. HP even allows you to get to the Boot Menu and sort of a pre-BIOS menu in the newer devices still with a BIOS password and lock set up. And I have first hand witnessed way too many to count instances where that is the case.
No matter what vendor, HP, Dell or Lenovo (the 3 main ones used in the enterprise world) allow the enrollment of keys by default, with a locked BIOS by default.
Source: I’m the sysAdmin at a R2 recycler and regularly get thousands of laptops to play with.
Hmm that’s very surprising. Secure boot setup mode is entirely just to enable or disable enrollment of keys, so being able to enroll keys with setup mode off and the bios locked is bizarre. I can say that my dell (xps 9560) does not behave that way - I have to enter bios and explicitly enable setup mode to enroll keys, and setup mode automatically switches back off once you enroll.
If you restore the BIOS to the default settings using the button on the left-most side in the BIOS, and then setup an Administrator password in the Security tab, you’d be able to verify yourself by using a Ventoy flash drive if you want.
Also I feel is important to mention that your BIOS password for that one model of XPS you have can be reset by generating a master key, so I really recommend turning on an option that I cannot remember the name of from the tip of my tongue, but it disables the “master password”, with the disadvantage that if you forget your BIOS password you’d have to replace the motherboard. If I find the name I’ll link it right here.
Edit1: The option is called Master Password Lockout.
Edit2: Is worth noting also that resetting the BIOS to default settings and erasing your secure boot keys might render your system unbootable if you use Windows BitLocker.