Rairii,
@Rairii@haqueers.com avatar

decided to throw securebootai.dll (from latest germanium build) into IDA, was not disappointed

there's a list of systems where db/dbx updates aren't attempted, that being:

  • any (amd64) apple system (those with secure boot just hardcodes db/dbx, without the ability to update it, right?)
  • fujitsu FJNBB38
  • a big list of HP systems: 83D5, 83DA, 83DD, 83E7, 83E8, 83E9, 8401, 8460, 8461, 8462, 8463, 8464, 8584, 8589, 8617, 8618, 8619, 8620, 869B, 86A3, 86A5, 86A8, 870B, 870C, 870F, 8710, 8711, 8712, 8713, 8714, 8715, 8717, 8718, 8719, 871A, 871B, 871C, 8723, 8724, 8725, 872B, 872C, 872D, 872E, 8736, 874D, 874E, 874F, 8750, 8751, 8752, 8753, 8754, 8755, 8760, 876D, 8779, 877D, 8780, 8783, 87EC, 880F, 8810, 882C, 882D, 8830, 8835, 8836, 885C, 887E
  • and any HP system where its custom protection against performing db/dbx updates is enabled

also:

the file doesn't exist right now, but there's code (behind a registry(?) flag) to apply "dbxupdate2024.bin", and debug strings imply that would revoke the PCA 2011 cert entirely!(GetSecureBootUpdateFilePathPCA2011RevokeDBX)

i expected that to be done, but only on new systems, fun (given that it's behind a flag it may well happen only on new systems)

wolf480pl,
@wolf480pl@mstdn.io avatar

@Rairii noob question: why is PCA 2011 important?

Rairii,
@Rairii@haqueers.com avatar

@wolf480pl it's what all production windows binaries are (currently) signed by

wolf480pl,
@wolf480pl@mstdn.io avatar

@Rairii oh, so if Microsoft revokes that, then you can only boot things signed with the Microsoft third-party UEFI CA, such as Linux?

I'd call that a win.

Rairii,
@Rairii@haqueers.com avatar

@wolf480pl they've created a new set of certs

wolf480pl,
@wolf480pl@mstdn.io avatar

@Rairii oh, so they could use it as an anti-dowmgrade mechanism... that's concerning

Rairii,
@Rairii@haqueers.com avatar

@wolf480pl well yes, that's what dbx is, to prevent old vulnerable binaries from running

wolf480pl,
@wolf480pl@mstdn.io avatar

@Rairii yeah but by revoking the whole PCA they would revoke old non-vulnerable binaries too, right?

Rairii,
@Rairii@haqueers.com avatar

@wolf480pl lack of dbx space and the creation of new certs made me expect this would happen, at least for new systems

wolf480pl,
@wolf480pl@mstdn.io avatar

@Rairii does that mean once someone installs Win11 on it you can't install Win10 anymore?

Rairii,
@Rairii@haqueers.com avatar

@wolf480pl don't know yet.

Rairii,
@Rairii@haqueers.com avatar

@wolf480pl IF older systems get the cert revoked it should be able to be reverted in the uefi firmware setup, which has an option to revert db/dbx back to the default (in the uefi firmware)

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • kavyap
  • ngwrru68w68
  • tacticalgear
  • DreamBathrooms
  • mdbf
  • magazineikmin
  • thenastyranch
  • Youngstown
  • Durango
  • slotface
  • everett
  • vwfavf
  • rosin
  • khanakhh
  • normalnudes
  • Leos
  • cisconetworking
  • cubers
  • InstantRegret
  • ethstaker
  • osvaldo12
  • modclub
  • anitta
  • provamag3
  • GTA5RPClips
  • tester
  • megavids
  • JUstTest
  • All magazines
    •