Secure Boot disaster around the corner: let’s clarify

Secure Boot disaster around the corner: let's clarify

Secure Boot is a technology that is an integral part of the UEFI specification and is designed to prevent unauthorized software from running when your computer starts. THE bootkit they are threats that are installed at the bootloader level, the program that loads the operating system, and are executed before the latter, making their detection and removal difficult.

To work, Secure Boot requires your PC to use a BIOS UEFI instead of the old legacy BIOS. If necessary, you can boot the system in UEFI CSM mode (Compatibility Support Mode): by doing so, Secure Boot is effectively disabled.

When Secure Boot is active, UEFI transfers control only to signed bootloaders with a certificate stored in the BIOS firmware itself. This certificate is generally provided by Microsoft, even for Linux bootloaders. To avoid problems during startup, the open source world relies on the software component called shim which acts as an intermediary between the firmware (read BIOS UEFI) and the system to be loaded.

Vulnerability discoveries in 2023 have allowed bootkits such as BlackLotus to disable Secure Boot protection, making it completely ineffective. The direct consequence is that a bootloader signed with a valid certificate it no longer guarantees security. So Microsoft had to start taking a series of countermeasures.

What Microsoft decided to do to contain Secure Boot vulnerabilities

Microsoft has announced plans to revoke the certificate used so far to sign Secure Boot-compatible Windows bootloaders. A UEFI BIOS with Secure Boot enabled will no longer recognize Windows bootloaders as valid. You will then need new bootloaders signed with a new certificatewhich in turn must be present within the UEFI firmware of each individual machine.

If the measure decided by Microsoft concerns Windows bootloaders, the very ones we use every day to start any version and edition of the operating system, it is not yet clear what will happen to the other bootloaders.

A foretold disaster?

We explained why many Windows systems may no longer boot by October 2024. It is Microsoft itself, in document KB5025885, which admits that, after the revocation of the previous certificate and the distribution of the new one, problems could arise. And it must be said that updates will come through Windows Updatethen the changes will be applied without users being aware of what is happening.

The issue is far from trivial because, as highlighted previously, on the one hand the bootloader must be signed with the new certificate, on the other the UEFI BIOS must in turn be updated to recognize this certificate.

Microsoft can proceed via software, without bothering with BIOS updates downloaded from the PC or motherboard manufacturer’s websites. UEFI UpdateCapsule is a UEFI-supported feature that allows system firmware to be updated in a secure and standardized way. The Redmond company will push this very button update the database (DBX) of UEFI BIOS side certificates.

It’s unlikely that everything always goes smoothly. The certificate update will not be correctly applied on all firmware (there is already a list of highly critical devices). Additionally, some security software may prevent the operation.

How to check which certificates are saved in the UEFI BIOS

No version of Windows integrates a tool to verify the certificates used at the UEFI BIOS level. To control it completely independently, you can press the key combination Windows+X then choose Terminal (Admin) su Windows 11 oppure Windows PowerShell (amministratore) su Windows 10.

At this point, the following three commands install a PowerShell cmdlet for retrieving information from the UEFI BIOS (answer “Y” to all prompts and press Enter):

Install-Module -Name UEFIv2
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
Import-Module UEFIv2

PowerShell UEFI BIOS certificate check

The following two commands allow you to extract the certificates stored in the UEFI BIOS and save them in a text file, subsequently opened with Windows Notepad. The file .txt is created in the user profile folder currently in use:

Get-UEFISecureBootCerts DB | fl > $env:USERPROFILE\certificati.txt
notepad $env:USERPROFILE\certificati.txt

Windows bootloader signing certificate

Find out which certificate the bootloader uses

Although it is not exactly immediately applicable, there is a method that helps to establish with certainty which certificate it is used for sign the bootloader responsible for loading Windows.

To do this, you need to download the Microsoft Sigcheck: utility on your systems Windows a 64 bitjust copy the file sigcheck64.exe and copy it into the folder c:\sigcheck.

At this point you can return to the PowerShell window opened previously with administrator rights and type the command cmd followed by pressing the Enter key. Assuming that the drive letter U: is not associated with any storage medium or partition, the following commands must be issued:

mountvol U: /s
c:\sigcheck\sigcheck64 -i -h U:\EFI\Boot\Bootx64.efi > %userprofile%\bootloader_cert.txt
mountvol U: /d
notepad %userprofile%\bootloader_cert.txt

Scrolling through the response provided after reading the UEFI BIOS, we discover that the certificate that Microsoft will invalidate is the one called Microsoft Windows Production PCA 2011 which expires in 2026 but which will soon be replaced by a new one expiring, presumably, in 2035.

From the first tests, it seems that the new bootloader common to Windows 10 and Windows 11 will have a number of version 10.0.26089.1001 and expires June 13, 2035.

Opening image credit: Copilot Designer.

Leave a Reply

Your email address will not be published. Required fields are marked *