Heading for #FOSDEM tomorrow!

Reach out if you wanna chat about Secure Boot distro security, TPMs/attestation, reprobuilds or other adjacent topics!

I'll also be at the #ReproducibleBuilds and #ArchLinux BOFs!

#SecureBoot #Security #Linux #TPM

Got the appropriate keys installed on my OVMF firmware to make Secure Boot work on Windows. No idea why not on #debian yet, perhaps the backports kernel isn't signed. #secureboot

Julkaisin juuri uuden artikkelin blogiini!

Eka kosketus CachyOS Linuxiin pelikoneessa

https://markokaartinen.net/2026/eka-kosketus-cachyos-linuxiin-pelikoneessa

#pelaaminen #Pelit #Linux #Linux #Tietokoneet #dualboot #Windows #Pelikone #AMD #Windows11 #CachyOS #ArchLinux #KDEPlasma #Proton #käyttöjärjestelmä #WindowsjaLinuxpelikoneessa #SecureBoot #Limine

New #Windows updates replace expiring #SecureBoot certificates

https://www.bleepingcomputer.com/news/security/microsoft-rolls-out-new-secure-boot-certificates-for-windows-devices/

#Microsoft #cybersecurity

Should #secureboot be switched off in the #polycule?

BTW, it's 6 years since I last set custom #SecureBoot keys on a laptop. And hey, the process really matured over this time. It's now super easy.

1️⃣ Clear secure boot keys
2️⃣ Run # sbctl create-keys
3️⃣ Run # sbctl enroll-keys

Done.

I remember back then, I neded to manually genrate keys, convert keys, copy them to fat32 partition, load them one by one in the efi user interface...

🥩🥩New Blog from Mr T-Bone: Update Secure Boot Certificate by using Intune Remediation
Don’t let Secure Boot catch you off guard! Learn to update certificates with Intune – easy & secure! MrTbone_se

#Intune #SecureBoot #MVPBuzz #MrTboneBlog
👉👉 https://www.tbone.se/2026/01/09/update-secure-boot-certificate-by-using-intune-remediation/

Yup, definitely spicy... It works with just power connected, but since the BIOS battery is dead and I can't replace it, it always restores the default settings, which enables secure boot again, which is dumb. Perhaps I can find a #Linux Distro that works with #SecureBoot, but not sure yet.

RE: https://bsky.app/profile/did:plc:4nz4j7p3icydlttmfvbgff2o/post/3mbwbaav7z22x

I unknowingly lied about having finished my Fedora setup on my work laptop. I forgot about OBS and the DroidCam plugin for it. It was a pain in the butt until I figured out that the v4l2loopback module wasn’t loaded due to secure boot being enabled (which is weird to me since it didn’t make any problems on my desktop)

#linux #fedora #obs #droidcam #secureboot

OK so apart from breaking things when I converted the partition table from MBR to GPT, switching my #Debian laptop over to #UEFI booting went pretty well.

I shaved 200MB off the 1GB /boot partition to create space for an EFI partition, and installed grub-efi-amd64-signed, then ran grub-install. Now I have UEFI and #SecureBoot working!

$ sudo mokutil --sb-state
SecureBoot enabled

On its own it's not much but it feels like an achievement.

Must remember that SystemRescueCD isn't good at networking...

Of Boot Vectors and Double Glitches: Bypassing RP2350's Secure Boot

https://streaming.media.ccc.de/39c3/relive/2149

#HackerNews #BootVectors #DoubleGlitches #SecureBoot #RP2350 #CyberSecurity #Hacking

Due to my setting Secure Boot mode in my BIOS to "Windows" rather than "Other OS," Windows encrypted both my boot drive and my RAID without my asking, and it broke the "Windows Activation," too. I could not switch Secure Boot back to "Other OS" without losing access to my hard disks. "Turn off BitLocker" on the RAID drive has been running for a couple of hours so far, with no indication of when it will finish.

#MerryChristmas #BIOS #SecureBoot

Local Attack: A local attacker with sufficient privileges can modify EFI Variables or the EFI partition using a live Linux USB to alter the boot order and load a compromised shim, executing privileged code without disabling Secure Boot."
#secureboot #ossec #netboot
https://www.reddit.com/r/linux/comments/1al8mad/critical_shim_bootloader_flaw_leaves_all_linux/

Moved the workstation CPU/RAM/disk/GPU to the motherboard previously used for the #proxmox server. Now it’s in a (nice) case instead of a bench 😅

Manage to do all the changes without breaking #SecureBoot once 🙂

I was a bit scared because after the change I had some instabilities (lockups, failure to boot), turns out, I can’t use XMP with the RAM and motherboard combination 🤷‍♂️

Unfortunately, I can’t yet bring the proxmox machine back up, as the PSU does not fit in the (new) case I have for it 🤦‍♂️

#computing #weekend

Is your team interested in #UEFI Secure Boot and Intel Root of Trust? Do you want to understand how they actually work in real systems, and how they are attacked and defended in practice? Join our advanced hands-on training based on workshops already delivered to engineering and security teams, covering UEFI #SecureBoot internals, UEFI variables, and real-world vulnerabilities such as #BootHole, #BitPixie, recent #GRUB2 CVEs, and Intel Root of Trust weaknesses.

FreeBSD, Debian и Secure Boot

В этом руководстве описывается процесс настройки FreeBSD 15 для работы в режиме Secure Boot. Создадим Machine Owner Key, установим его в UEFI, подпишем загрузчик. Secure Boot: [ ON ]

https://habr.com/ru/articles/978240/

#FreeBSD #secureboot #загрузчик #efi

@duxsco Für alle, die nach Quellen gefragt haben, wohin die Reise bei Secure Boot / TPM / Pluton geht – hier eine kleine, gut belegte Auswahl:

Microsoft Pluton Sicherheitsprozessor (offizielle Doku)
https://learn.microsoft.com/de-de/windows/security/hardware-security/pluton/microsoft-pluton-security-processor

Heise: Microsofts Sicherheitscontroller Pluton kommt auch in Intel-CPUs
https://www.heise.de/news/Microsoft-Sicherheitscontroller-Pluton-kommt-auch-in-Intel-Core-9833911.html

UEFI / Secure Boot – Kritik und Geschichte
https://en.wikipedia.org/wiki/UEFI#Criticism

Secure Boot – Hintergrund (Wikipedia)
https://en.wikipedia.org/wiki/UEFI

TPM & Secure Boot – Ängste, Zweifel und Kritik (deutsch)
https://curius.de/2022/02/kollektive-vorbehalte-gegen-tpm-und-secure-boot-aengste-unsicherheit-und-zweifel/

Niemand behauptet, Secure Boot sei per se böse.
Die Frage ist, wer langfristig die Root-Keys und die Policy kontrolliert.

Sicherheit ohne Nutzersouveränität ist Policy Enforcement.

#SecureBoot #TPM #Pluton #DigitaleSouveränität #OpenSource #Linux #VendorLockIn #ITSecurity

@IncredibleLaser The #TLS analogy doesn’t hold:

TLS is a #protocol where I can run my own #CA, replace trust anchors, or opt out entirely.
#SecureBoot is part of a platform-wide chain of trust.

The problem isn’t Secure Boot per se. It’s that the root of trust is moving away from the user!!!

With Secured-Core PCs, Pluton, OEM firmware policies and enforced updates, the “platform owner” increasingly becomes the vendor, not the person managing the device.

Once Secure Boot is no longer fully disable-able and keys are fused or policy-enforced, custom keys stop being a right and become an exception :blobcatangery:

Apple already shows where this leads: security as control, not choice 😩

🧵 Follow-post: Why Secure Boot / Secured-Core ≠ Security

Why Secure Boot / “Secured-Core PCs” are not real security

Secure Boot only verifies who signed the bootloader — not whether the system is secure.
It protects the boot path, not the running system.

Malware, rootkits and exploits are injected after boot:
via browsers, drivers, kernel bugs, supply-chain attacks.
Secure Boot does nothing against that.

With TPM / Pluton, trust is anchored in hardware controlled by vendors, not users.
If you don’t control the root keys, you don’t control the system.

Keys can be revoked. Firmware can be updated remotely.
Suddenly, software that used to run on your own hardware no longer does.

That’s not security — that’s policy enforcement.

#SecureBoot #SecuredCore #TPM #Pluton #OpenSource #Linux
#DigitalSovereignty #VendorLockIn #ITSecurity #Firmware