Hundreds of UEFI products from 10 vendors are susceptible to compromise due to a critical firmware supply-chain issue known as PKfail, which allows attackers to bypass Secure Boot and install malware.
Yeah, unfortunately the default state is always to allow enrollment of keys. Think about the thousands of enterprise devices which just got a BIOS password from the IT Dept. And the only change they made to the BIOS was the PXE Boot as a first option. As long as they never disable booting from the USB devices, it will enroll the keys. HP even allows you to get to the Boot Menu and sort of a pre-BIOS menu in the newer devices still with a BIOS password and lock set up.
And I have first hand witnessed way too many to count instances where that is the case.
No matter what vendor, HP, Dell or Lenovo (the 3 main ones used in the enterprise world) allow the enrollment of keys by default, with a locked BIOS by default.
Source: I’m the sysAdmin at a R2 recycler and regularly get thousands of laptops to play with.
Hmm that’s very surprising. Secure boot setup mode is entirely just to enable or disable enrollment of keys, so being able to enroll keys with setup mode off and the bios locked is bizarre. I can say that my dell (xps 9560) does not behave that way - I have to enter bios and explicitly enable setup mode to enroll keys, and setup mode automatically switches back off once you enroll.
If you restore the BIOS to the default settings using the button on the left-most side in the BIOS, and then setup an Administrator password in the Security tab, you’d be able to verify yourself by using a Ventoy flash drive if you want.
Also I feel is important to mention that your BIOS password for that one model of XPS you have can be reset by generating a master key, so I really recommend turning on an option that I cannot remember the name of from the tip of my tongue, but it disables the “master password”, with the disadvantage that if you forget your BIOS password you’d have to replace the motherboard. If I find the name I’ll link it right here.
Edit1:
The option is called Master Password Lockout.
Edit2:
Is worth noting also that resetting the BIOS to default settings and erasing your secure boot keys might render your system unbootable if you use Windows BitLocker.
Yeah, unfortunately the default state is always to allow enrollment of keys. Think about the thousands of enterprise devices which just got a BIOS password from the IT Dept. And the only change they made to the BIOS was the PXE Boot as a first option. As long as they never disable booting from the USB devices, it will enroll the keys. HP even allows you to get to the Boot Menu and sort of a pre-BIOS menu in the newer devices still with a BIOS password and lock set up. And I have first hand witnessed way too many to count instances where that is the case.
No matter what vendor, HP, Dell or Lenovo (the 3 main ones used in the enterprise world) allow the enrollment of keys by default, with a locked BIOS by default.
Source: I’m the sysAdmin at a R2 recycler and regularly get thousands of laptops to play with.
Hmm that’s very surprising. Secure boot setup mode is entirely just to enable or disable enrollment of keys, so being able to enroll keys with setup mode off and the bios locked is bizarre. I can say that my dell (xps 9560) does not behave that way - I have to enter bios and explicitly enable setup mode to enroll keys, and setup mode automatically switches back off once you enroll.
If you restore the BIOS to the default settings using the button on the left-most side in the BIOS, and then setup an Administrator password in the Security tab, you’d be able to verify yourself by using a Ventoy flash drive if you want.
Also I feel is important to mention that your BIOS password for that one model of XPS you have can be reset by generating a master key, so I really recommend turning on an option that I cannot remember the name of from the tip of my tongue, but it disables the “master password”, with the disadvantage that if you forget your BIOS password you’d have to replace the motherboard. If I find the name I’ll link it right here.
Edit1: The option is called Master Password Lockout.
Edit2: Is worth noting also that resetting the BIOS to default settings and erasing your secure boot keys might render your system unbootable if you use Windows BitLocker.