Secure Boot bypass revealed - gHacks Tech News

Secure Boot bypass revealed

Secure Boot is a security standard that is part of UEFI designed to restrict what gets loaded during boot time of the device.

Microsoft introduced the feature in Windows 8 back in 2011, and every client or server version of Windows supported it since then.

Microsoft stated back then that it was up to the manufacturer of the device to ship it with controls to turn Secure Boot off.

Without those controls, it is not possible to use load operating systems that are not explicitly allowed. In worst case, it would mean that only one particular flavor of Windows can be run on a device.

This is for instance the case on Windows RT or Windows Phone devices. Secure Boot can be turned off on PCs and notebooks however, at least for the time being.

Researchers discovered a way to manipulate Secure Boot on Windows devices, effectively rendering it useless.

secure golden secure boot key

Secure Boot uses policies which the Windows Boot Manager reads during boot. Not all policies get loaded though. Policies are usually linked to DeviceID, and the boot manager will only execute policies with a matching DeviceID.

Microsoft did introduce supplemental policies which are not linked to DeviceID which in turn enables anyone to enable test signing. With test signing enabled, it is possible to load anything during boot.

The "supplemental" policy does NOT contain a DeviceID. And, because they were meant to be merged into a base policy, they don't contain any BCD rules either, which means that if they are loaded, you can enable testsigning. Not just for windows (to load unsigned driver, ie rootkit), but for the {bootmgr} element as well, which allows bootmgr to run what is effectively an unsigned .efi (ie bootkit)!!! (In practise, the .efi file must be signed, but it can be self-signed) You can see how this is very bad!! A backdoor, which MS put  in to secure boot because they decided to not let the user turn it off in certain devices, allows for secure boot to be disabled everywhere!

The effect here is that it unlocks Secure Boot on devices where the feature is locked. The method that the researchers discovered works on Windows devices with Secure Boot enabled, but only if Microsoft's MS16-094 security patch is not installed; also, administrative rights are required.

Microsoft tried to fix the issue with MS16-094 in July, and this month's MS16-100 security bulletins. The first patch introduced blacklisting, the second an update that revoked some boot managers.  The patches don't resolve the issue completely though according to the researchers.

You find additional information about the issue on this site. Please note that it plays an intro with music in the background. I suggest you use Ctrl-A, Ctrl-C to copy all content, and paste it in a text document as the music and background animation is quite distracting.

Summary
Secure Boot bypass revealed
Article Name
Secure Boot bypass revealed
Description
Researchers discovered a way to manipulate Secure Boot on Windows devices, effectively rendering it useless.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:


Previous Post: «
Next Post: »

Comments

  1. Mark Hazard said on August 10, 2016 at 9:27 pm
    Reply

    Martin, will these Secure Boot patches prevent one from booting Linux?
    Also, I can’t find a link to the site.
    Thanks for the article.

    1. Martin Brinkmann said on August 10, 2016 at 9:32 pm
      Reply

      Link added, it is this one: https://rol.im/securegoldenkeyboot/

      The patches should not affect that from what I can tell.

    2. 420 said on August 10, 2016 at 11:05 pm
      Reply

      What this patch (script really) is good for is… unlocking surface rt and various phones micro$ has. Which is “good news everyone” for people with surface rt’s as micrososhaft has basically abondoned the surface rt’s. For everyone else this patch doesnt really do alot, as you already have the ability to disable secure boot. The golden key also demonstrates what an incredibily stupid idea it is to have golen keys, bypasses and back doors cooked into stuff.

      1. A or B, not C. said on August 11, 2016 at 7:59 am
        Reply

        @ 420 ……. M$ hv the prerogative to pull the trigger at any time n disallow all new OEM Win 10 UEFI cptrs from being able to disable Secure Boot, esp if Win 10 has achieved critical mass of above 50% world market share.

        With the 02 Aug 2016 Win 10 Anniversary Update, M$ has blocked all unsigned Windows kernel mode drivers from being installed. This move affects the installation of programs/software/apps for AV, back-up/imaging, VPN, browser, torrent, office productivity, etc. In theory, M$ can block all 3rd-party programs/apps/software from being installed or make certain demands from the software developers. This is one of the reasons, many Win 10 users r having problems with the Anni-Update.
        ……. M$ hv also recently “decreed” that all new OEM Win 10 cptrs must ship with TPM 2.0, which, in theory, can also gives M$ more control over people’s cptrs. Pls refer to the Wiki article for Trusted Platform Module/TPM.

        So, maybe it’s best to avoid buying new OEM Win 10 cptrs n smartphones.

  2. Anonymous said on August 10, 2016 at 9:51 pm
    Reply

    I’m happy that they manage to “crack” that Microsoft imposed piece of BS.

  3. Mark Hazard said on August 10, 2016 at 11:02 pm
    Reply

    Thanks, Martin.

  4. jack said on August 10, 2016 at 11:59 pm
    Reply

    Can we unlock old Windows Phones and put custom Android ROMs on them?

    1. A or B, not C. said on August 11, 2016 at 8:32 am
      Reply

      @ jack ……. Likely, not possible.

      Unlike cptrs, nearly all smartphones do not allow another mobile OS to be installed by the users from an external install media, eg microSD card, not even for installing the same preinstalled mobile OS that came with the phone, ie smartphones hv walled gardens = users r like in prison. Of course, the phone-users can change “prisons”, eg move from iOS to Android or vice versa.

      The work-around of ROM Flashing to update Android OS for many high-end Android phones, r provided by 3rd-party private developers, n not by the mobile OS developers or OEMs, eg Apple, Google, M$, Samsung, LG, HTC, etc.

  5. mikef90000 said on August 11, 2016 at 12:27 am
    Reply

    All this total crap ‘secure boot’ EFI stuff in firmware to replace a simple write-protect hardware jumper or switch. At least I can still find motherboards that let me disable it.

  6. 420 said on August 11, 2016 at 8:57 am
    Reply

    @a or b, not c, I am confused on one item. So if your windows box has uefi only and not uefi and legacy like my dell laptops, M$ can make it so you cannot disable secure boot? I think I read that the ability to turn off secure boot is cooked into the bios, so unless you are saying M$ has the ability to change my bios remotely like an update, I do not see how they can undo what is in the bios supplied by Dell. Also could you please give source articles if you are saying M$ can change my bios so that I will not be able to disable secure boot.

    1. Corky said on August 11, 2016 at 10:11 am
      Reply

      @420, Yes secure boot is controlled by the BIOS (enable, disable), having said that it does appear the direction of travel for Microsoft is to compel motherboard manufactures to eventual remove that option, for a MoBo manufacture to gain the certified for Windows label previously (Windows 8) they had to include the option in the BIOS to disable secure boot, that changed with Windows 10 to being an optional BIOS setting.

  7. 420 said on August 11, 2016 at 11:33 am
    Reply

    I see, looks like I will go with my plan of my desktop will be a windows box for games with no internet and all my other laptops will have manjaro. I am starting to see M$ plan now, get enough people on board then give them no alternatives, devious.

  8. CHEF-KOCH said on August 11, 2016 at 12:48 pm
    Reply

    The question is how fast MS react on it and how fast they fix it, also the other question is if someone really can abuse it or if it’s simply a poc. If you use VeraCrypt I doubt that this makes any sense.

    Before someone cry it should be noted that this wasn’t actually abused in real world. So chill and keep it monitored.

    1. Rotten Scoundrel said on August 11, 2016 at 5:19 pm
      Reply

      Ummm “this wasn’t actually abused in real world”

      Chef-K, it’s hard (??) to abuse something that had not been yet found. Now found the implications are huge. Also “how fast they fix it,” it’s not that simple. This will be near impossible to “fix” looking back from when they actually fix it in next release of updates. All current and backed up Shadow Copies will contain the errant code, many levels of backups will also contain it. So a Restore or Recovery will almost certainly reinstate it.

      Any smart person backs up daily and images their drives at least weekly. Ahhh, msoft programming, ain’t it grand. Does anyone recall just a few days back I was ruminating on the ineptitude of msoft programmers? LOL

  9. Straspey said on August 11, 2016 at 2:29 pm
    Reply

    ” Please note that it plays an intro with music in the background. I suggest you use Ctrl-A, Ctrl-C to copy all content, and paste it in a text document as the music and background animation is quite distracting.”

    Yes, but —

    If you use the NoScript addon (one of Martin’s favorites, as well as myself) in your Firefox browser to defeat the flash animation, and then simply mute your speakers – you can the simply scroll through the article and read it comfortably without those annoying distractions.

    1. A or B, not C. said on August 11, 2016 at 3:30 pm
      Reply

      @ Straspey ……. With the Slimjet browser, I just disable javascript in Content setting for the same effect, ie no need addon.

  10. MrHandsome said on August 12, 2016 at 1:26 am
    Reply

    Just use Noscript to not allow the site, and no music or animation is being played….

  11. Intel Inside® said on August 12, 2016 at 9:24 pm
    Reply

    “Trusted Computing” is an Intel® way to put chips on your Mobo. These chips use low-level languages as i2C: Trusted Platform Module (TPM) with I²C interface is produced by Atmel Corporation, while Intel® puts the backdoored code in it.

    I was dragged down this rabbit hole by following Dragos Ruiu on twitter.

  12. Zeal0us said on August 14, 2016 at 12:22 am
    Reply

    Is there any how to guides on how to linux distros on to windows rt tablet?

  13. Iscariot said on August 14, 2016 at 8:04 pm
    Reply

    You’re asking an ARM OS that bypasses the latest Micro$oft UEFI limitations…
    Tell us if you got it running!!

  14. Simon said on January 28, 2017 at 11:32 am
    Reply

    Anyone managed to get any ARM linux booting/installed on a Surface 2?

    It’s been a while, thought Id follow up.

  15. John S said on February 5, 2018 at 2:15 pm
    Reply

    Secure Boot another useless weak layer Microsoft whipped up to fix its miserable track record of PC’s running Windows getting rootkits and other malware. I guess its one of those deals if all you run is Windows then keep Secure boot on for its minor improvement in resisting malware. Personally I will pass on anything Microsoft dreams up as some sort of security improvement.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.