Tell HN: Microsoft SecureBoot "Breaking" Changes, Today's Milestone
Microsoft's Patch Tuesday updates KB5041585 and KB5041580 for Windows 10 and 11 fix boot issues with older Linux ISO images and automatically blacklist compromised SecureBoot keys, excluding dual-boot systems.
Microsoft's latest Patch Tuesday updates for Windows 10 and Windows 11 include significant changes related to SecureBoot Advanced Targeting (SBAT). The updates, KB5041585 for Windows 11 and KB5041580 for Windows 10, address various issues, including a fix for older Linux ISO images that may not boot. This rollout represents a step in Microsoft's effort to replace compromised firmware keys that were previously used for SecureBoot. Historically, Linux had to disable SecureBoot to boot on UEFI systems, but with the introduction of Microsoft-signed keys, Linux can now boot with SecureBoot enabled, provided it uses the same keys built into the motherboard. The current updates will automatically initiate a blacklist procedure for compromised keys, which previously required user action. However, it is important to note that this SBAT update will not apply to systems that dual-boot Windows and Linux. Users are advised to check their older ISOs and bootable drives, as they may require adjustments to function correctly with the new SecureBoot settings.
- Microsoft has released updates KB5041585 and KB5041580 for Windows 10 and 11.
- The updates include fixes for older Linux ISO images that may not boot.
- The updates automatically initiate a blacklist procedure for compromised SecureBoot keys.
- The SBAT update does not apply to dual-boot systems with Windows and Linux.
- Users should verify older ISOs and bootable drives for compatibility with new SecureBoot settings.
Related
Microsoft updates the Linux kernel in WSL
Microsoft updates WSL's Linux kernel to version 6.6 after 2.5 years, reducing out-of-tree patches. Available on GitHub, it brings new configs and stable kernel updates, with full integration expected soon.
Microsoft Confirms New Blue Screen Warning for Windows 10 and 11 Users
Microsoft confirmed a new issue affecting Windows 10 and 11 users after the July 2024 Patch Tuesday update, causing devices to boot into a BitLocker recovery screen. A workaround is available.
Secure Boot is completely broken on 200 models from 5 big device makers
Researchers from Binarly found that Secure Boot is compromised on over 200 device models due to a leaked cryptographic key, posing significant security risks until manufacturers issue firmware updates.
Microsoft calls for Windows changes and resilience after CrowdStrike outage
Microsoft is reconsidering security vendor access to the Windows kernel after a CrowdStrike update outage affected 8.5 million PCs, emphasizing the need for improved resilience and collaboration in security practices.
Windows 11 July Update Breaks Bitlocker, Forces Recovery
The July 2024 Windows 11 update KB5040442 has disrupted Bitlocker, causing password issues and forcing users into recovery mode. Microsoft is working on a fix while users are advised to secure recovery keys.
4 commentsThankfully, I solved the problem by removing Windows a couple of years ago. It now lives in a rarely used VM.
If you have a gaming board: Firmware integrity checks are mostly easy bypassable.
If you use a distro's default bootloader scheme: You can compromise the OS pre-login.
The CA that signed the shim, the Microsoft 3rd party CA, sogned all kinds of crap that lets you run whatever you want from that.
The whole shim thing is not about security but having stuff boot smoothly without screwing with bios settings.
If you want it to give you integrity, then you need to roll your own keys and make sure the firmware has no signature check bugs letting one bypass signature checks.
All this is orthogonal to self sovereign systems.
On Intel thats gone. You can't have a secure and sovereign firmware game without extreme extra effort.
The whole secureboot roll your own keys is the next best thing of harm reduction.
If we had some way of making the system actually static and separate from userdata. And a way to boot that prevents any persistent executable code from the userdata part from running. So as to have a clean state. From that on we could bind that state to unlock signing keys to sign the next version of the booted stuff. Then we could have nice security properties minus whatever is bad in the Intel TCB.
Compromise to root would actually be nicely reversible.
Immutable distros exist. But they are not there yet in terms of conditional readonly-ness.
That's why i disable "SecureBoot". It does not bring any security.
Related
Microsoft updates the Linux kernel in WSL
Microsoft updates WSL's Linux kernel to version 6.6 after 2.5 years, reducing out-of-tree patches. Available on GitHub, it brings new configs and stable kernel updates, with full integration expected soon.
Microsoft Confirms New Blue Screen Warning for Windows 10 and 11 Users
Microsoft confirmed a new issue affecting Windows 10 and 11 users after the July 2024 Patch Tuesday update, causing devices to boot into a BitLocker recovery screen. A workaround is available.
Secure Boot is completely broken on 200 models from 5 big device makers
Researchers from Binarly found that Secure Boot is compromised on over 200 device models due to a leaked cryptographic key, posing significant security risks until manufacturers issue firmware updates.
Microsoft calls for Windows changes and resilience after CrowdStrike outage
Microsoft is reconsidering security vendor access to the Windows kernel after a CrowdStrike update outage affected 8.5 million PCs, emphasizing the need for improved resilience and collaboration in security practices.
Windows 11 July Update Breaks Bitlocker, Forces Recovery
The July 2024 Windows 11 update KB5040442 has disrupted Bitlocker, causing password issues and forcing users into recovery mode. Microsoft is working on a fix while users are advised to secure recovery keys.