I'll single out 2018-2019-2020-2021 Asus Vivobook 15s as my first example.
Out of the box, Secure Boot is enabled.
They have Microsoft's Secure Boot signing key, as well as Canonicals.
Booting ubuntu's grub from a flash drive starts up normally, no writes are blocked post kernel-boot, unless you've tinkered with the squashfs, which merely has a hash value 'protecting' it from inadvertent corruption in the download process. A message will be printed during boot if it doesn't match, suggesting you might "encounter errors". And only if the bootsplash is suppressed via the kernel commandline.
Each of these will result in different PCR values; so if the disk is encrypted, the keys to decrypt it will probably fail to be unsealed. This is generally not a problem in my case, as I'm prepping the machine's components for resale, not sniffing for secrets.
There is no indication via EFI Event logs that a boot from alternative media has been attempted or succeeded, that I have been able to note.
This also does not require the device to be a USB Mass Storage Class hard disk / flash disk, so long as the ISO image has the signed grub in the right place, it will boot from optical media, or virtual optical media.
As another example, I commonly breach secure-boot enabled linux appliances based on supermicro motherboards and LSI Logic storage controllers, clearing out vendor firmware back to clean supermicro firmwares in the process.
Again, since I'm not after the data itself, I am generally able to operate unimpeded; convince the firmware to launch freedos via hook or crook (usually these appliances have grub bootloaders and the menu can be rewritten to launch memdisk with a harddisk image hooked at :80.) and run the good ol' AMI firmware flash tools, which will put the ME into recovery mode and stuff some EFI update capsules down it's throat.
A quick ATA Secure Erase cycle later; and the off-lease equipment is successfully debranded and ready to go back out in the wild.
Power management, mobile and firmware developer on Linux. Security developer at Aurora. Ex-biologist. mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer. Also on Mastodon.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
no subject
Date: 2021-06-08 06:28 am (UTC)Out of the box, Secure Boot is enabled.
They have Microsoft's Secure Boot signing key, as well as Canonicals.
Booting ubuntu's grub from a flash drive starts up normally, no writes are blocked post kernel-boot, unless you've tinkered with the squashfs, which merely has a hash value 'protecting' it from inadvertent corruption in the download process. A message will be printed during boot if it doesn't match, suggesting you might "encounter errors". And only if the bootsplash is suppressed via the kernel commandline.
Each of these will result in different PCR values; so if the disk is encrypted, the keys to decrypt it will probably fail to be unsealed. This is generally not a problem in my case, as I'm prepping the machine's components for resale, not sniffing for secrets.
There is no indication via EFI Event logs that a boot from alternative media has been attempted or succeeded, that I have been able to note.
This also does not require the device to be a USB Mass Storage Class hard disk / flash disk, so long as the ISO image has the signed grub in the right place, it will boot from optical media, or virtual optical media.
As another example, I commonly breach secure-boot enabled linux appliances based on supermicro motherboards and LSI Logic storage controllers, clearing out vendor firmware back to clean supermicro firmwares in the process.
Again, since I'm not after the data itself, I am generally able to operate unimpeded; convince the firmware to launch freedos via hook or crook (usually these appliances have grub bootloaders and the menu can be rewritten to launch memdisk with a harddisk image hooked at :80.) and run the good ol' AMI firmware flash tools, which will put the ME into recovery mode and stuff some EFI update capsules down it's throat.
A quick ATA Secure Erase cycle later; and the off-lease equipment is successfully debranded and ready to go back out in the wild.