Is Secure Boot important for security?

Topic

New Reply

ON SECURITY By Susan Bradley During the last few months, some chinks have appeared in Secure Boot’s armor as the result of various attacks and vulnera
[See the full post at: Is Secure Boot important for security?]

Susan Bradley Patch Lady

5 users thanked author for this post.

fisher75, Norio, DLivesInTexas, lmacri, Alex5723

Reply | Quote

Replies

Susan mentions that UEFI gives some degree of security, presumably vs. Legacy boot in the BIOS. I ran into a problem with a dual-Xeon system with Windows 10 Pro. In 12/2022 I lost the ability to boot into Windows. The systrm always booted into a command line with EFI, whatever that is. The only way I could reinstall Windows 10 was by setting BIOS to Legacy/MBR and creating with Rufus a Legacy/MBR Windows installation USB stick.

While that worked fine and I have my system back with an updated Windows 10 Pro, I am wondering what would happen if I changed BIOS back to UEFI to get a more secure boot. Would I permanently lose the Windows installation?

Reply | Quote

NO!  Do not change from legacy BIOS to UEFI.  Tried it once.  No fun. Unbootable.

Also, never use a legacy boot flash stick on a UEFI hard drive.  Also not nice.

1 user thanked author for this post.

cmar6

Reply | Quote

You didn’t mention if this will work if you use third party anti-virus.  I don’t think so as it mostly disables defender.  Can you check and let us know?  Thanks.

• Block executable files from running unless they meet a prevalence, age, or trusted list criterion
• Block Office applications from creating executable content.

Reply | Quote

Update:  If you use a third-party antivirus tool, you will not be able to use ASR rules as they work only with Defender.   Microsoft makes it incredible difficult to implement and provides deficient instructions.  This page is helpful: https://www.csoonline.com/article/3597407/how-to-use-windows-defender-attack-surface-reduction-rules.html

1 user thanked author for this post.

Cybertooth

Reply | Quote

In my working environment, I’m not convinced that it is.

I’m just putting up a new machine, a bare-bones ASUS PN-51. Similar to an Intel NUC, one of those that has lots of stuff bundled with the motherboard, and where I specify memory and storage.

For this particular installation, I doing it as a Linux installation, and before I got into serious configuration work, I did some playing with more than one Linux distro.  I had no problems installing Ubuntu 22.04, but when I tried installing Mint 21.1, I got conflicts coming from SecureBoot.

Apparently, the Mint 22.1 installer has new keys on it that are unrecognized.  I guess there are ways of signing an installer, but most of the information out there is pretty cryptic, unless you’re really familiar with both boot processes and signature keys, and how they intersect in UEFI.  I ended up disabling SecureBoot and Mint installs fine — and I don’t know if I’ll get around to reenabling SecureBoot or not.

I didn’t check, but I suppose that it’s possible that other boot images released since the beginning of 2023 might have similar issues, such as Ubuntu 23.04 or the latest release of Fedora Desktop.  I also didn’t check with an older version of Mint, such as 21.0 or 20.3.

My sense is that if you’re in an environment where there’s reason to believe the possibility of somebody trying to boot from an unauthorized image, SecureBoot is probably something that you want.  But for a one-off boot used for a system install that you’re not expecting to replace, I’m inclined to think may be more of a problem than a benefit.  It may not be a huge issue if the installer you need is signed correctly and the signature is recognized, but as with my case, if a UEFI isn’t updated recently enough for the installer I want, I’m not going to take the time to try to figure out how to apply the signature myself, and it’s faster/easier to simply disable SecureBoot.

If the people who consider SecureBoot to be essential for widespread use (especially non-Windows), then it’s necessary to make sure that the signatures of new distros are implemented quickly (at least for the most common Linux distros) and/or there is usable documentation for user-level signing.

3 users thanked author for this post.

Cybertooth, Fred, DLivesInTexas

Reply | Quote

Susan,

My advice to my clients has been consistent for years.  The best anti-virus/anti-malware protection is right between your ears.  Use it regularly before clicking on ANYTHING.

To underscore this point, my email in the last two days has included bogus Javascript (.js) and Adobe PDF attachments.  Delete and don’t look back.

2 users thanked author for this post.

geekdom, Fred

Reply | Quote

[Fred]

Affirmative. Keeping some ‘old’ images at hand too, when needed. There are stronger distuptive forces present since the war in eastern Europe. This early morning there was a giant “glitch” in the DNS system resolving IP’s in your part of this globe.

* _ the metaverse is poisonous _ *

• This reply was modified 1 week ago by Fred.

Reply | Quote

References please Fred.

cheers, Paul

Reply | Quote

References …. , what would you like to know? There are too many variables of security things that can go wrong, leading to too much in doubt (these days). Intel Secure Guard is not proof anymore mostly. ∅Days that are stolen and abused by crooks or darkstates. When the Secured Bootsystem or the Uefi-part of the pc will be infected there is no way to tell when it’s dirty or clean. Sleeping bot-systems are no rarety anymore. So reimaging with a clean (older) image is the only thing to be safe. Even for intelligence people or politicians  when they return from being away.

This very early morning there was a major/huge DNSresolving failure (about 7 minutes) for addresses in your part. You tell me what caused it.

* _ the metaverse is poisonous _ *

Reply | Quote

7 minute DNS glitch could just have been a local ISP and it would need to be hours for it to be major.
You still haven’t told us where you got this information?

cheers, Paul

Reply | Quote

Is there a description of the means by which this UEFI malware would make its way onto the affected PC?

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

Reply | Quote

https://www.askwoody.com/forums/topic/blacklotus-uefi-bootkit-myth-confirmed-bypasses-all-windows-11-securities/#post-2558406

1 user thanked author for this post.

Cybertooth

Reply | Quote

Thanks for that.

So, would disabling remote services on the PC take care of this concern? It sounds like there may be much simpler cures than Microsoft’s proposed approach. Susan talked about not downloading drivers from unofficial sources; I’m not sure how this idea comes into play in the current scenario, but if it’s a question of avoiding dubious driver downloads, then there are any number of measures that one can take to filter them out: a good AV (to screen them during downloading) and VirusTotal (to screen them after downloading) come to mind right away.

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

Reply | Quote

The standard protections always work.
Don’t download things you don’t know from sites that may not be reliable.
Always scan downloads before running them.
Have an image backup.
Etc.

cheers, Paul

Reply | Quote

If the person is close enough to the target machine to run custom boot then they are close enough to log into uefi settings and turn off secure boot.  I don’t think it’s secure at all in the sense of protecting the user.  The security it protects is mircrosoft marketshare by limiting linux boots and installs.  Turning it off is one of the first things I do with a new pc.

1 user thanked author for this post.

Cybertooth

Reply | Quote

Has anyone had any problems updating in May with Bitlocker enabled? I have Windows 10 Home .. with Bitlocker. I wanted to find out if there have been any problems reported before I update. Any info would be greatly appreciated.

Reply | Quote

You have a Home with bitlocker?  The updates don’t impact bitlocker especially if you don’t run the manual scripts.

Susan Bradley Patch Lady

Reply | Quote

Yes, I have a Home version with Bitlocker. I have to run the command to disable it when updating BIOS firmware.

I read that BSOD has been reported so i wanted to know if i had to disable it.

Reply | Quote

Susan Bradley wrote:

…You have a Home with bitlocker?

Hi Susan:

Just an FYI that there was a discussion about the difference between Win 10 Pro BitLocker Drive Encryption vs Win 10 Home Device Encryption in Linda2019’s June 2020 topic BitLocker Drive Encryption Change.

One of the articles I linked to in that 2020 topic refers to Win 10 Home Device Encryption as a “subset of BitLocker” but I did find one Dell support article at Automatic Windows Device Encryption or BitLocker on Dell Computers that states “BitLocker device encryption is supported on a broad range of devices, including those that meet Modern Standby standards and devices that run Windows 10 Home edition or Windows 11“,  which blurs the distinction between Bitlocker Disk Encryption and Drive Encryption.  I also found multiple users with a Win 10 Home OS reporting that  Disk Management (diskmgmt. msc) showed that their disk partitions were already “BitLocker encrypted” when their Dell computer shipped from the factory – see Windows 10 Home BitLocker Encrypted in the Dell forum for one example.

I’m still not clear what encryption method Linda2019 is currently using on their Win 10 Home machine, but it sounds like they can run a manage-bde command from an elevated command prompt to temporarily suspend their encryption before a BIOS update.
————–
Dell Inspiron 5584 * 64-bit Win 10 Pro v22H2 build 19045.2965 * Firefox v113.0.2 * Microsoft Defender v4.18.2304.8-1.1.20300.3 * Malwarebytes Premium v4.5.29.268-1.0.2022 * Macrium Reflect Free v8.0.7279

2 users thanked author for this post.

oldfry, Alex5723

Reply | Quote

We had some users on the forum with Dell and HP Windows home PC with Bitlocker on.
Some didn’t know they have Bitlocker enabled, some found out after getting request for Bitlocker key….

Reply | Quote

Will it still be possible to turn Secure Boot off after all of Microsoft’s patches to fix Secure Boot come out over the next several months?

I have a couple Win 10 Pro computers that I want to dual boot with Linux Mint and want Secure Boot off.

Reply | Quote

Yes.

Susan Bradley Patch Lady

1 user thanked author for this post.

DrBonzo

Reply | Quote

Paul T wrote:

You still haven’t told us where you got this information?

I will not. There are things one doesn’t share.

* _ the metaverse is poisonous _ *

Reply | Quote