Acer, Dell, Gigabyte, Intel and Supermicro motherboards are affected. The issue? They used SecureBoot certificates meant for testing, that were literally marked “do not trust / do not ship.”
The key was created by American Megatrends International (AMI). Despite the clear name of the key, the UEFI implementers at these companies weren’t even paying attention to what they were bundling in their motherboards.
The previous folks who were discovered to do this were Aopen, Foremelife, Fujitsu, HP, Lenovo, and Supermicro. Seems like Supermicro haven’t learned their lesson.
Patch your firmware if you care about secure boot and you sign your boot payloads.
Be interesting to know what ALL is affected by that. I know that the GPD WinMax2(2023) with a 7840u is affected, still trying to decide what i want to do about it.
edit: oh yeah, how would i bring this to wendel’s attention?? i know he has one too.
I so wanted to have CoreBoot on everything but it doesnt seem practical.
I remember the recent L1T video about a quirky AliExpress mobo. I hope Wendell pushes through with his group buy and hopefully get the manufacturer to open up the mobo and hopefully wendell will get enough insights in the hardware to get it running in a Coreboot firmware.
In the arstechnica link, there’s 200 devices affected at the bottom, in a long list. The issue appears between 2019 and 2024, from what I could spot.
I believe Dell already patched some of them. I can’t say what patches are available for what. Check if your device is in the list and then look on your manufacturer’s website if there’s a firmware patch available.
Well, I’d suggest you do that even if your device doesn’t show up. It’s a good time to double check if you’ve got any uefi updates available.
5 years kinda pushes it barely outside of support, most products get EOL after 3 years or so, including firmware. Maybe anything, but the most critical security patches.
Considering that UEFI contains a complete network stack, including drivers, ethernet, DHCP, DNS, TCP, UDP, HTTP etc., readers for file systems, image file parsers, etc. I’d wager A FRICKN LOT.
Yikes indeed.
I think we should really make the boot process as simple as possible, keep the firmware as small as possible in scope, and leave all the rest to a competent user-supplied bootloader and well-documented standards. But that will probably never happen :(
yes hearing this was exceptionally gross to come across
the manufacturer in question had a chance to really look good considering the other primary manufacturer has been making themselves look awfully bad lately and instead, they’re like… ehhh… no.
true, but still…what a chance for unspecified manufacturer AMD to really get some brownie points and show they care about the community…
Secure Boot isn’t supposed to need you to do any of that, so most people don’t. Secure Boot systems don’t do that “out of the box”, they assume that the keys on the mother board are good and go from there.
