mirror of
https://github.com/privacyguides/privacyguides.org.git
synced 2025-12-17 16:54:05 -05:00
add attack surface info
This commit is contained in:
fria
GitHub
parent
3a7456337d
commit
cb5e780a76
1 changed files with 7 additions and 1 deletions
|
|
@ -85,4 +85,10 @@ The PK allows updates to the KEK and by extension the signature databases so era
|
|||
|
||||
Microsoft provides its own PK for OEMs to use if they don't want the responsibilty of managing the keys themselves. They also provide their own KEK via their KEK certificate authority. For Windows, it's required in order to update the database for newer signed images of Windows.
|
||||
|
||||
It also allows booting into non-Microsoft bootloaders like shim, allowing many Linux distributions to support secure boot without any extra configuration.
|
||||
It also allows booting into non-Microsoft bootloaders like shim, allowing many Linux distributions to support secure boot without any extra configuration.
|
||||
|
||||
#### Attack Surface
|
||||
|
||||
Since the Microsoft KEK CA allows so many different bootloaders to run by default, it allows more attack surface than many users desire. You can use your own machine owner key (MOK) (and delete the default keys) so that only your own bootloader and/or custom kernel module will be allowed to load. Usually this is provided by your distribution.
|
||||
|
||||
Usually, Secure Boot only covers the UEFI firmware, bootloader, and OS kernel, many peripneral devices like drives are left out of the process. This can mean a lot of extra attack surface depending on how many extra devices you have on your system.
|
||||
Loading…
Add table
Add a link
Reference in a new issue