Matthew Garrett ([personal profile] mjg59) wrote2013-04-05 16:11
Entry tags:

Update on leaked UEFI signing keys - probably no significant risk

According to the update here, the signing keys are supposed to be replaced by the hardware vendor. If vendors do that, this ends up being uninteresting from a security perspective - you could generate a signed image, but nothing would trust it. It should be easy enough to verify, though. Just download a firmware image from someone using AMI firmware, pull apart the capsule file, decompress everything and check whether the leaked public key is present in the binaries.

The real risk here is that even if most vendors have replaced that key, some may not have done. There's certainly an argument that shipping test keys at all increases the probability that a vendor will accidentally end up using those rather than generating their own, and it's difficult to rule out the possibility that that's happened.
A good heuristic is to check the serial number of your BIOS and any other hardware IDs you can find. Is it something random-looking, something serial-number-ish like 1000056420, or an obviously-fake entry like 1000000001 or 123456789?

If it looks random, search the web: if Google finds one of "your" UUIDs, it's hardly unique and the vendor is a lazy bastard who should know better.

Re: Serial numbers

(Anonymous) 2013-04-06 06:45 (UTC)(link)
Apparently, logging in with OpenID is not exactly well-supported here …

(Anonymous) 2013-04-11 01:27 (UTC)(link)
The PK cert that comes with the Z77 I have is issued by "DO NO TRUST - AMI Test PK"