• Is Secure Boot important for security?

    Home » Forums » Newsletter and Homepage topics » Is Secure Boot important for security?

    Author
    Topic
    #2560885

    ON SECURITY By Susan Bradley During the last few months, some chinks have appeared in Secure Boot’s armor as the result of various attacks and vulnera
    [See the full post at: Is Secure Boot important for security?]

    Susan Bradley Patch Lady

    5 users thanked author for this post.
    Viewing 8 reply threads
    Author
    Replies
    • #2560950

      Susan mentions that UEFI gives some degree of security, presumably vs. Legacy boot in the BIOS. I ran into a problem with a dual-Xeon system with Windows 10 Pro. In 12/2022 I lost the ability to boot into Windows. The systrm always booted into a command line with EFI, whatever that is. The only way I could reinstall Windows 10 was by setting BIOS to Legacy/MBR and creating with Rufus a Legacy/MBR Windows installation USB stick.

      While that worked fine and I have my system back with an updated Windows 10 Pro, I am wondering what would happen if I changed BIOS back to UEFI to get a more secure boot. Would I permanently lose the Windows installation?

      • #2561193

        NO!  Do not change from legacy BIOS to UEFI.  Tried it once.  No fun. Unbootable.

        Also, never use a legacy boot flash stick on a UEFI hard drive.  Also not nice.

        1 user thanked author for this post.
    • #2561005

      You didn’t mention if this will work if you use third party anti-virus.  I don’t think so as it mostly disables defender.  Can you check and let us know?  Thanks.

    • #2561041

      In my working environment, I’m not convinced that it is.

      I’m just putting up a new machine, a bare-bones ASUS PN-51. Similar to an Intel NUC, one of those that has lots of stuff bundled with the motherboard, and where I specify memory and storage.

      For this particular installation, I doing it as a Linux installation, and before I got into serious configuration work, I did some playing with more than one Linux distro.  I had no problems installing Ubuntu 22.04, but when I tried installing Mint 21.1, I got conflicts coming from SecureBoot.

      Apparently, the Mint 22.1 installer has new keys on it that are unrecognized.  I guess there are ways of signing an installer, but most of the information out there is pretty cryptic, unless you’re really familiar with both boot processes and signature keys, and how they intersect in UEFI.  I ended up disabling SecureBoot and Mint installs fine — and I don’t know if I’ll get around to reenabling SecureBoot or not.

      I didn’t check, but I suppose that it’s possible that other boot images released since the beginning of 2023 might have similar issues, such as Ubuntu 23.04 or the latest release of Fedora Desktop.  I also didn’t check with an older version of Mint, such as 21.0 or 20.3.

      My sense is that if you’re in an environment where there’s reason to believe the possibility of somebody trying to boot from an unauthorized image, SecureBoot is probably something that you want.  But for a one-off boot used for a system install that you’re not expecting to replace, I’m inclined to think may be more of a problem than a benefit.  It may not be a huge issue if the installer you need is signed correctly and the signature is recognized, but as with my case, if a UEFI isn’t updated recently enough for the installer I want, I’m not going to take the time to try to figure out how to apply the signature myself, and it’s faster/easier to simply disable SecureBoot.

      If the people who consider SecureBoot to be essential for widespread use (especially non-Windows), then it’s necessary to make sure that the signatures of new distros are implemented quickly (at least for the most common Linux distros) and/or there is usable documentation for user-level signing.

      3 users thanked author for this post.
    • #2561192

      Susan,

      My advice to my clients has been consistent for years.  The best anti-virus/anti-malware protection is right between your ears.  Use it regularly before clicking on ANYTHING.

      To underscore this point, my email in the last two days has included bogus Javascript (.js) and Adobe PDF attachments.  Delete and don’t look back.

      2 users thanked author for this post.
      • #2561224

        Affirmative. Keeping some ‘old’ images at hand too, when needed. There are stronger distuptive forces present since the war in eastern Europe. This early morning there was a giant “glitch” in the DNS system resolving IP’s in your part of this globe.

        * _ the metaverse is poisonous _ *
        • This reply was modified 2 weeks, 1 day ago by Fred.
        • #2561239

          References please Fred.

          cheers, Paul

          • #2561257

            References …. , what would you like to know? There are too many variables of security things that can go wrong, leading to too much in doubt (these days). Intel Secure Guard is not proof anymore mostly. ∅Days that are stolen and abused by crooks or darkstates. When the Secured Bootsystem or the Uefi-part of the pc will be infected there is no way to tell when it’s dirty or clean. Sleeping bot-systems are no rarety anymore. So reimaging with a clean (older) image is the only thing to be safe. Even for intelligence people or politicians  when they return from being away.

            This very early morning there was a major/huge DNSresolving failure (about 7 minutes) for addresses in your part. You tell me what caused it.

            * _ the metaverse is poisonous _ *
            • #2561504

              7 minute DNS glitch could just have been a local ISP and it would need to be hours for it to be major.
              You still haven’t told us where you got this information?

              cheers, Paul

    • #2561338

      Is there a description of the means by which this UEFI malware would make its way onto the affected PC?

    • #2561601

      If the person is close enough to the target machine to run custom boot then they are close enough to log into uefi settings and turn off secure boot.  I don’t think it’s secure at all in the sense of protecting the user.  The security it protects is mircrosoft marketshare by limiting linux boots and installs.  Turning it off is one of the first things I do with a new pc.

      1 user thanked author for this post.
    • #2562147

      Has anyone had any problems updating in May with Bitlocker enabled? I have Windows 10 Home .. with Bitlocker. I wanted to find out if there have been any problems reported before I update. Any info would be greatly appreciated.

      • #2562172

        You have a Home with bitlocker?  The updates don’t impact bitlocker especially if you don’t run the manual scripts.

        Susan Bradley Patch Lady

        • #2562309

          Yes, I have a Home version with Bitlocker. I have to run the command to disable it when updating BIOS firmware.

          I read that BSOD has been reported so i wanted to know if i had to disable it.

        • #2562350

          …You have a Home with bitlocker?

          Hi Susan:

          Just an FYI that there was a discussion about the difference between Win 10 Pro BitLocker Drive Encryption vs Win 10 Home Device Encryption in Linda2019’s June 2020 topic BitLocker Drive Encryption Change.

          One of the articles I linked to in that 2020 topic refers to Win 10 Home Device Encryption as a “subset of BitLocker” but I did find one Dell support article at Automatic Windows Device Encryption or BitLocker on Dell Computers that states “BitLocker device encryption is supported on a broad range of devices, including those that meet Modern Standby standards and devices that run Windows 10 Home edition or Windows 11“,  which blurs the distinction between Bitlocker Disk Encryption and Drive Encryption.  I also found multiple users with a Win 10 Home OS reporting that  Disk Management (diskmgmt. msc) showed that their disk partitions were already “BitLocker encrypted” when their Dell computer shipped from the factory – see Windows 10 Home BitLocker Encrypted in the Dell forum for one example.

          I’m still not clear what encryption method Linda2019 is currently using on their Win 10 Home machine, but it sounds like they can run a manage-bde command from an elevated command prompt to temporarily suspend their encryption before a BIOS update.
          ————–
          Dell Inspiron 5584 * 64-bit Win 10 Pro v22H2 build 19045.2965 * Firefox v113.0.2 * Microsoft Defender v4.18.2304.8-1.1.20300.3 * Malwarebytes Premium v4.5.29.268-1.0.2022 * Macrium Reflect Free v8.0.7279

          2 users thanked author for this post.
          • #2562386

            We had some users on the forum with Dell and HP Windows home PC with Bitlocker on.
            Some didn’t know they have Bitlocker enabled, some found out after getting request for Bitlocker key….

    • #2562168

      Will it still be possible to turn Secure Boot off after all of Microsoft’s patches to fix Secure Boot come out over the next several months?

      I have a couple Win 10 Pro computers that I want to dual boot with Linux Mint and want Secure Boot off.

    • #2562382

      You still haven’t told us where you got this information?

      I will not. There are things one doesn’t share.

      * _ the metaverse is poisonous _ *
    Viewing 8 reply threads
    Reply To: Is Secure Boot important for security?

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: