Because by October 2024 many systems may no longer start. Guilty: Secure Boot

Because by October 2024 many systems may no longer start.  Guilty: Secure Boot

By October 2024 at the latest, many things on your computers may no longer start properly. Just to give a few examples, old Windows and Linux installations, the removable devices they integrate routine installation and other operating systems, media for restoring backup images and much more. The sword of Damocles looms over millions of users due to a change that Microsoft has long decided to introduce Secure Boot and which could have “fatal” consequences.

This is not an unjustified alarm: Microsoft itself, in the support documentation, claims that the changes introduced in the functioning of the boot procedure could prevent the loading of operating systems and other utilities that have their own bootloader.

What can happen with Secure Boot between now and October 2024 and why so many systems will no longer boot

Secure Boot is a feature that enables a reliable boot sequence at the Windows kernel level. Become an essential requirement for installing Windows 11, Secure Boot helps ensure that in progress system boot only approved and legitimate software components are loaded, thus avoiding the action of any malware (i.e. bootkit).

Discovered in early 2023, BlackLotus is the first bootkit to bypass Secure Boot defenses. Vulnerability CVE-2023-24932 it was exploited by BlackLotus to bypass Secure Boot protections. However, the fix of the security problem requires the revocation of all Secure Boot signatures issued over the years.

Already in February 2024 we were talking about the Secure Boot earthquake and the release of the new keys: for the first time after 13 years, in fact, the Redmond company is preparing to declare how no longer reliable signatures used in the vast majority of commonly used software. And it is a truly epochal transition because the digital signatures released until 2012 are widely used by many legitimate programs, which load at startup, to overcome the checks carried out by Secure Boot.

The first problems could occur starting from July 2024

The technicians of the Redmond company explain that precautionary measures against overcoming Secure Boot protections (CVE-2023-24932) are included in the security updates for Windows released on April 9, 2024. Microsoft specifies, however, that at moment these corrections they are not automatically enabled. This is to give users time to verify theactual impact interventions on their software configurations.

As we anticipated in the previously mentioned article, opening a PowerShell window (press Windows+X then choose Windows PowerShell (amministratore) in Windows 10 oppure Terminal (Admin) in Windows 11) then typing the statement below, you will get False as an answer as long as the revocations of signatures Secure Boot will not take effect:

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'UEFI CA 2023'

Starting July 9, 2024, Microsoft will begin progressively enabling Secure Boot revocations as protective measure against bootkits like BlackLotus. On the other hand, however, many software loaded when the device starts may no longer work.

Errors when loading software that uses bootloaders that are no longer approved

Microsoft emphasizes that it is necessary to activate in time in order to update recovery media o di installation. Only in this way, in fact, will these tools continue to function on devices that use mitigations against the CVE-2023-24932 vulnerability. Instructions for updating Windows installation media, for example, are given here.

Otherwise, as Dell also confirms, errors such as Windows cannot verify the digital signature for this file or Your device needs to be repaired (error code 0xc0e90002).

Complicating the situation, Microsoft claims that to apply “anti-BlackLotus measures” and similar threats, it must rely on both the device’s UEFI firmware and database Forbidden Signature Key (DBX). However, the company has verified that some devices are not updatable: Microsoft is working with device manufacturers to activate the changes on as many products as possible.

Create a backup copy of your BitLocker recovery key: trouble ahead

Some devices on which it is activated BitLockerFurthermore, they could enter the recovery mode after enabling revocations for Secure Boot. Users are therefore urged to ensure they have a copy of the BitLocker recovery key available. Backup can be done by typing BitLocker Management in the Windows search box and then clicking the link Backup recovery key (Pro, Education and Enterprise editions).

The Home editions Windows does not natively support BitLocker recovery key management in graphical mode. In this case, you need to type cmd in the search box, choose Run as administrator then write the following:

manage-bde -protectors -get C:

In the place of C: Obviously, the identifying letter of the drive encrypted and protected with BitLocker must be indicated. After running the command, various information will appear, including the recovery key. The key should be copied and saved in a safe place, because it will be used to unlock the unit in case of problems.

No problem for those who don’t use Secure Boot

All users who have a legacy BIOS or who have not enabled the Secure Boot feature in their UEFI firmware will not be affected by the boot issues.

Use the key combination Windows+R then type msinfo32 and press Enter. Corresponding to the main section (System resources), go to the right panel and search for the item Secure boot status. If you read Deactivatedit means that the Secure Boot feature is not enabled: All of the above considerations are irrelevant when Secure Boot is not supported or is not running.

Opening image credit: Copilot Designer.

Leave a Reply

Your email address will not be published. Required fields are marked *