Anything Microsoft has enabled with their KEK they can disable with a windows update pushing out a update to dbx by windows update that disables it. Yes just claim that the shim has a security fault and disable it. Also the KEK that signs the shim is not the one of the ones you need to boot Windows. Microsoft installs their own OS KEKs as well.
The reality is the shim should only be used for install and after that you should really take control replace the PK and update the KEK list. If system not going to run windows removing the Microsoft KEKs to reduce attack surface area.
Really it does not make very much sense to enable lockdown while depending on shim/mok. Once you have installed own KEK you have control of the dbx and cannot be locked out of the system as simply.
Power management, mobile and firmware developer on Linux. Security developer at nvidia. Ex-biologist. Content here should not be interpreted as the opinion of my employer. Also on Mastodon and Bluesky.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Re: Here we go again.
Date: 2018-04-06 09:16 pm (UTC)Really pull the other one it plays jingle bells.
http://www.linuxjournal.com/content/take-control-your-pc-uefi-secure-boot
Anything Microsoft has enabled with their KEK they can disable with a windows update pushing out a update to dbx by windows update that disables it. Yes just claim that the shim has a security fault and disable it. Also the KEK that signs the shim is not the one of the ones you need to boot Windows. Microsoft installs their own OS KEKs as well.
The reality is the shim should only be used for install and after that you should really take control replace the PK and update the KEK list. If system not going to run windows removing the Microsoft KEKs to reduce attack surface area.
Really it does not make very much sense to enable lockdown while depending on shim/mok. Once you have installed own KEK you have control of the dbx and cannot be locked out of the system as simply.