A new key was issued in 2023, but it might not be well-supported ahead of the original key's expiration.
  • Ooops@feddit.org
    5·
    2 hours ago

    The actual problem is (and has been for a long time) the enormous amount of absolute trash-level uefi implementations.

    Updating keys is easy. Alas… a lot of them are completely broken beyond repair and fail everything but running with the pre-installed keys, which includes updating (or adding new) keys (bonus points for the really screwed up devices that even sign some their own hardware with the pre-installed MS keys thus bricking themselves if those keys are changed).

  • kbal@fedia.io
    10·
    5 hours ago

    manufacturers could add support for the new key by updating the KEK database

    Oh right, the KEK database. They are literally trolling us aren’t they.

    • Badabinski@kbin.earth
      14·
      6 hours ago

      I mean, Secure Boot does actually help defend against evil maid attacks if paired with FDE. Someone can’t just fuck with your /boot (CVE-2016-4484 nonwithstanding) to do naughty things with your system if you have Secure Boot enabled. Does that fit with most people’s threat model? I dunno, probably not. It does actually do something useful though.

      My work computer has it enabled and I feel better for it. The issue described in the article is easily dealt with if you just keep up with your firmware updates using fwupd.

      • Maiq@lemy.lol
        2·
        49 minutes ago

        Just so I have this right, fwupd will update the firmware with the new keys. Just fuzz on if you have to create a new secure-boot key yourself?