Secure Boot is completely broken on 200+ models from 5 big device makers

Keys were labeled "DO NOT TRUST." Nearly 500 device models use them anyway.

5 comments

I have yet to see a good implementation of Secure Boot, and that's just from a user interface standpoint.

How can I check which keys are installed in the EFI/BIOS UI? And then delete a specific key? I only ever saw options like "reset to factory settings".

Factory settings are just Microsoft's keys most of the time, and often there's no way to delete/not trust Microsoft's keys.

The whole system is way too intransparent. May as well turn it off.
- Yeah, the only thing I've ever seen is the MOK management thingy your bios will throw you into if something wants to add a new key, but iirc that can only list the key you're about to add, not all of them. I also have no idea how you get to that menu without adding a new key.
  
  I still get issues with efi. I hate these things honestly.
So basically secure boot as usual? Or is there something new here?
- The new bit is essentially that a bunch of vendors have been using test keys in production hardware, mostly enterprise hardware, and nobody has implemented key clustering or rotation like the original design spec recommended.
  
  Beyond that, the older news is the legitimate production key compromise, stored online behind a four character password. But this one’s not as big an issue as most of the implicated hardware is already EOL and no longer in use.