Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
shakedown.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A community for live music fans with roots in the jam scene. Shakedown Social is run by a team of volunteers (led by @clifff and @sethadam1) and funded by donations.

Administered by:

Server stats:

290
active users

shakedown.social: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.4

#secureboot

0 posts0 participants0 posts today
Public *
Pope Bob the Unsane

In the adventures of Bob's "Perfect" #Slackware install, I've been struggling to get Secure Boot working on my #Thinkpad x280.

Something seems to be preventing me from loading a custom Platform Key, while none appears loaded, and everything seems 'right' -- #SecureBoot is in Custom / Setup mode.

The unfortunate thing is ... using Secure Boot and signing kernel images and efi executables is not a common practice, and the documentation seems lacking explanations for people with my particular issue; method 1 of using `efi-updatevar` returns an error "Cannot write to PK, wrong filesystem permissions", method 2 -- updating from the #UEFI 'bios' -- is not an option on an x280, and method 3, using KeyTool.efi returns the error "Failed to update variable: (26) Security Violation".

I am wondering if there are some further setup settings that need to be adjusted to allow this operation, if perhaps my pk.auth file is incorrect in some way, if my machine was, from the factory, unable to allow custom Platform Keys, or if someone has modified it since then.

Rabbit holes are a pain in the dick, and now I'm in a position where I'm kinda 'forced' to learn a bit more about the mechanics of Secure Boot, under the hood.

Anyone got some good tips for where to start solving this puzzle?

I have been referencing:

- wiki.gentoo.org/wiki/User:Saka
- wiki.linuxquestions.org/wiki/H

wiki.gentoo.orgUser:Sakaki/Sakaki's EFI Install Guide/Configuring Secure Boot under OpenRC - Gentoo wiki
#Linux#Troubleshooting#Puzzle
Public
Rairii :win3_progman: :win3:

so I got official confirmation from Microsoft that, for bugs in the windows boot environment leading to Secure Boot bypass, fixes are only being backported to the PCA2023-signed bootmgr_ex, not the PCA2011-signed bootmgr.

systems running anything older than Windows 11 24H2 (I think?) are still vulnerable to “patched” bootloader bugs unless you manually install the newer bootloader; of course, if you don’t do that anyway you’re still vulnerable to downgrade attacks! and if you DO manually install the newer bootloader, you get screwed in other ways (specifically not being able to boot from older install media/backups)!

on a related note, MS updated their KB article about similar issues to add the following about when PCA2011 will be revoked for everyone:

The Enforcement Phase will not begin before January 2026, and we will give at least six months of advance warning in this article before this phase begins.

This marks the third time the Enforcement Phase has been pushed back; from “Q1 2024” to July 2024 to October 2024 to “some point after January 2026”. I suspect it will never happen for systems that were not preinstalled with, or that cannot officially run, Windows 11.

support.microsoft.comHow to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support
#Microsoft#Windows#SecureBoot
Replied in thread
Public
Kevin Karhan :verified:

@S_Paternotte @GrapheneOS meanwhile I see #OpenAI literally using falsified #UserAgent|s and #DDoS'ing clients at work so hard I have to ban entire ASNs and /10 networks just because they ca't be assed to respect the robots.txt and refuse to accept beibg given 403 errors.

-Needless to say banning #GrapheneOS which are by far the most security-focussed and most diligent in terms of #Aftermarket-#Android-#ROM|s whilst not banning #outdated Android versions is like banning a "#SecureBoot|ed" #UbuntuLTS or #OpenBSD installation and going out of one's way to brick #Wine whilst still supporting #WindowsXP in 2025!

robotstxt.orgThe Web Robots Pages
#secureboot
Replied in thread
Public
Kevin Karhan :verified:

@ESETresearch @smolar_m thanks for the post and research.

  • Personally, I don't rely on #CensorBoot as I don't trust any #security that violates #KerckhoffsPrinciple, but that's not my decision and being able to attest the security of it or at least have another way to check for it is kinda important.

And yes I refuse to call it "#SecureBoot" because it is not secure by #Microsoft's own admission - otherwise they would've relied on it on the #XboxOne and not just the #Xbox360 !

YouTubeGuarding Against Physical Attacks: The Xbox One Story — Tony Chen, MicrosoftBy Platform Security Summit
#secureboot
Replied in thread
Public
Kevin Karhan :verified:

@puppygirlhornypost2 @navi nodds in agreement the entire #CensorBoot-Stack is literally done to maximize pain and frustration, brick #DualBoot / #MultiBoot setups and is by #Microsoft's own admission inherently & unfixably insecure.

  • As can be seen by the fact that they literally didn't even bother with "#SecureBoot" on the #XboxOne which remains uncracked to this day...
YouTubeGuarding Against Physical Attacks: The Xbox One Story — Tony Chen, MicrosoftBy Platform Security Summit
#secureboot#xboxone
Public
trashHeap :hehim: :verified_gay:

Do you feel like secure boot has done anything to enhance your own personal security, keeping in mind the threat models you yourself worry about?

Or has it been more of a nuisance to you than a help?

Consumer desktop/laptop perspectives only please.

· 148 people · Closed
#linux#bsd#haikuos
Public
Norobiik @Norobiik@noc.social

If your #PC can run #Windows11, it can run #24H2 (also known as the Windows 11 2024 Update). That means you need a fairly recent #CPU and a #TPM 2.0 security chip. Beyond those, the absolute minimum hardware requirements are a 1GHz 2-core CPU, 4GB of #RAM, 64GB of disk space, and #SecureBoot capability.

What’s New in the Windows 11 24H2 Update?
msn.com/en-gb/news/techandscie

www.msn.comMSN
Public
Avoid the Hack! :donor:

Not sure if anyone else has mentioned this, but wanted to add a specific data point to the #Linux and #Windows dualboot problem: it affects USB installs too. Makes sense it covers all bootable media, but experiencing it firsthand kind of sucked. Kind of a doh moment. :ablobcatgoogly:

I have live #Kali and #tails sticks that won’t boot on the Windows machine (get the SBAT error).

Disabling Secure Boot allows it to boot (naturally, it will also boot if I plug it into my Linux machine). The temporary fix from #Microsoft does work. As a note for TAILS users, you can’t run mokutils as sudo (which is needed) unless you enable setting administrator password on boot.

#secureboot
Public
Gabriele Svelto

I've found a lot of conflicting and confusing reports about the #SecureBoot issue caused by a Microsoft update, so here's my relatively informed take about it.

Spoilers: this isn't an issue with GRUB, but with another less known bootloader called shim. GRUB can also be affected though. So let's talk about how the bootchain of a #Linux distro works and what happened to it. 🧵 1/11

Public
Norobiik @Norobiik@noc.social

Tuesday’s update left #DualBoot devices—meaning those configured to run both #Windows and #Linux—no longer able to boot into the latter when #SecureBoot was enforced.

When users tried to load Linux, they received the message: “Verifying shim SBAT data failed: Security Policy Violation. Something has gone seriously wrong".

“Something has gone seriously wrong,” dual-boot systems warn after #Microsoft update
arstechnica.com/security/2024/

Ars Technica · “Something has gone seriously wrong,” dual-boot systems warn after Microsoft updateMicrosoft said its update wouldn't install on Linux devices. It did anyway.
ExploreLive feeds
About