• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.

Secure Boot is broken

Ulysses 31

Member
1709926485491-png.25312
 

winjer

Gold Member
ok but i got a file in zip and inside a .cap what to do with it?

Extract that zip file. Take the .cap file and upload it here: https://pk.fail/
Press scan, do the captcha and it will tell you if the keys are ok.

I did that for you:
That UEFI has safe keys.

Binary Risk Intelligence

Scan result: TUF-GAMING-Z690-PLUS-ASUS-3701.CAP
sha256: 755174c9e9cf6d6bb4bd0095519f30756975ad8d92fec910b346df32be21b99d
CLEAN not vulnerable to PKfail
 

GymWolf

Gold Member
One way is to use a program like AFUWIN to dump the uefi.

The easiest way is to go to the manufacturer of your motherboard and download the file of the UEFI version you are using.
Then just upload it to the site and it will compare the keys in that UEFI with the broken keys.

A program like HWinfo or CPUZ will show the version of the current UEFI your PC is using.
hwinfo says that my bios version is the A.A0 dated 01-09-2023, but if i go into the msi site to check there is one with same date but a different name 7D25vAB. (AMI bios)

Is it that one?
 
Last edited:

GymWolf

Gold Member
GymWolf GymWolf

You can also open a terminal and type:
Confirm-SecureBootUEFI
I already checked and it's active.

I did what you did with the bios file check in the site but i'm not sure if i downloaded the right one...

It says it's safe...

Btw i didn't had to unzip the file, i just uploaded the whole zip and it worked.
 
Last edited:

winjer

Gold Member
hwinfo says that my bios version is the A.A0 dated 01-09-2023, but if i go into the msi site to check there is one with same date but a different name 7D25vAB. (AMI bios)

Is it that one?

I don't know. But considering your UEFI is one year old, you should update it.
That way you can get the latest keys and the the new Intel voltage settings.
 

GymWolf

Gold Member
I don't know. But considering your UEFI is one year old, you should update it.
That way you can get the latest keys and the the new Intel voltage settings.
Do you think it's safe to update the bios with my pc in that particular...condition?

I mean, if the date is the same it should be the right file right? how can it be a coincidence?

I did the test with that one and it's safe.

(btw i don't know what those are, i usually don't touch anything relative to voltages)
 
Last edited:

ReBurn

Gold Member
See here for ways to check if you've got Secure Boot enabled.

Personally I don't see the point of Secure Boot in non business environments. The idea of Secure Boot is to prevent a hacker from booting an unrecognized OS/boot loader on your PC or adding custom UEFI boot drivers to your system. Well, for the first issue that hacker must have hands on access to your PC and there's nothing stopping that hacker from booting Windows or Linux from USB since those OSes are of course on the list of approved, safe operating systems. And if someone was able to secretly add malafide UEFI boot drivers on your PC, then you were already hacked.

Secure Boot makes sense in business or government environments where they handle top secret documents. You don't want a hacker to insert a USB drive into a PC, hack the UEFI BIOS and then have the PC run hacking code before the OS has even loaded. There it makes a lot of sense.

The downside of SecureBoot is that the list of approved operating systems is small and it's very, very hard to get on that list. At work I use iPXE as a way to boot multiple OSes from either the HD or the network in examination class rooms. The PC boots from the network, loads the iPXE file and shows a menu. Works great - but only with Secure Boot turned off since the iPXE boot loader is not on the approved list.
The list of approved systems can't be too small if there are over 900 device models that are compromised. This issue is caused by hardware manufacturers leaving common test keys active in the KEK database of their hardware, it really doesn't have anything to do with the operating systems themselves. People also need to be proactive when it comes to applying firmware updates to their PC hardware.

Someone probably doesn't want to be running a modern OS that doesn't support UEFI secure boot, so I'm not sure that your downside is a downside. There's pretty ubiquitous support across major Linux distros and has been for years. Data stolen from compromised PC's plays a huge role in identity theft and fraud. People should be using advanced security afforded by technologies such as TPM and UEFI.
 

winjer

Gold Member
Do you think it's safe to update the bios with my pc in that particular...condition?

I mean, if the date is the same it should be the right file right? how can it be a coincidence?

I did the test with that one and it's safe.

(btw i don't know what those are, i usually don't touch anything relative to voltages)

Your issue is with Windows.
Flashing the UEFI is done inside the UEFI. So there is no problem.
Just make sure that power is on for the whole process.
Check your manual for the correct procedure. Usually it's just a matter of downloading the file, placing it in an USB drive in FAT32.
Reboot into the EUFI and flash the file.
Some motherboards even do all of this automatically, as they can connect to the internet, download the file and update.

Take into consideration that flashing the UEFI will clean every setting.
So you might want to write down or take photos of the UEFI settings that are not at default.
 
Last edited:
Top Bottom