UEFI: Difference between revisions

Jump to navigation Jump to search
[unchecked revision][unchecked revision]
← Older editNewer edit →
Content deleted Content added
VisualWikitext
Line 83: Line 83:
An easy way out to use a loader that is signed by Microsoft, and allows you to load another binary signed by a key and certificate owned by you (called MOK, Machine Owner's Key). Such a loader is [https://github.com/rhboot/shim shim], used by RedHat, Fedora, Suse, Ubuntu, Arch and many other distros to load GRUB. The filename of the EFI executable is hardwired in shim, but if you rename your loader to GRUBX64.EFI (or GRUBIA32.EFI), you sign it with your MOK key and certificate using [https://github.com/imedias/sbsigntool sbsigntool], then you can load any loader in Secure Boot you want.
An easy way out to use a loader that is signed by Microsoft, and allows you to load another binary signed by a key and certificate owned by you (called MOK, Machine Owner's Key). Such a loader is [https://github.com/rhboot/shim shim], used by RedHat, Fedora, Suse, Ubuntu, Arch and many other distros to load GRUB. The filename of the EFI executable is hardwired in shim, but if you rename your loader to GRUBX64.EFI (or GRUBIA32.EFI), you sign it with your MOK key and certificate using [https://github.com/imedias/sbsigntool sbsigntool], then you can load any loader in Secure Boot you want.


Although some firmware has no options for turning Secure Boot off, thanks to the incompetence of the Microsoft developers they put a huge security flaw in Win8's bootmgr.efi which allows loading of policies that [https://www.xda-developers.com/microsofts-debug-mode-flaw-and-golden-key-leak-allows-disabling-of-secure-boot/ turns off Secure Boot on any computer]. This flaw cannot be patched, because anybody can simply replace a fixed Win10 bootmgr.efi with the original Win8 bootmgr.efi without problems.
Although some firmware has no options for turning Secure Boot off, thanks to the incompetence of the Microsoft developers they put a huge security flaw in Win8's bootmgr.efi which allows loading of policies that [https://www.xda-developers.com/microsofts-debug-mode-flaw-and-golden-key-leak-allows-disabling-of-secure-boot/ turns off Secure Boot on any computer]. This flaw cannot be patched, because anybody can simply replace a fixed Win10 bootmgr.efi with the original Win8 bootmgr.efi without problems (they are signed with the SAME Microsoft key...).


===How to use UEFI===
===How to use UEFI===
Retrieved from "https://osdev.wiki/wiki/UEFI"