• BakedCatboy
    link
    fedilink
    English
    arrow-up
    6
    ·
    4 months ago

    Sounds like this is completely about the preloaded PKs, so if you set up your own secure boot with your own keys then you’re probably fine because you would have cleared out the OEM keys right?

      • BakedCatboy
        link
        fedilink
        English
        arrow-up
        2
        ·
        4 months ago

        If the bios is locked you can’t modify the enrolled keys - that’s the point. The guide you linked assumes the bios is already set to enroll mode, which requires unlocking it.

        The result is that without the bios password (or a bios in default state) you can’t change the settings.

        I have my laptop set to only allow booting internal drives and to verify with my own enrolled keys. The only way to bypass it is to use something like ventoy is to unlock the bios and use the one-time boot menu or to enroll their key or sign ventoy with your own key.

        • admin@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          4
          ·
          4 months ago

          Yeah, unfortunately the default state is always to allow enrollment of keys. Think about the thousands of enterprise devices which just got a BIOS password from the IT Dept. And the only change they made to the BIOS was the PXE Boot as a first option. As long as they never disable booting from the USB devices, it will enroll the keys. HP even allows you to get to the Boot Menu and sort of a pre-BIOS menu in the newer devices still with a BIOS password and lock set up. And I have first hand witnessed way too many to count instances where that is the case.

          No matter what vendor, HP, Dell or Lenovo (the 3 main ones used in the enterprise world) allow the enrollment of keys by default, with a locked BIOS by default.

          Source: I’m the sysAdmin at a R2 recycler and regularly get thousands of laptops to play with.

          • BakedCatboy
            link
            fedilink
            English
            arrow-up
            1
            ·
            4 months ago

            Hmm that’s very surprising. Secure boot setup mode is entirely just to enable or disable enrollment of keys, so being able to enroll keys with setup mode off and the bios locked is bizarre. I can say that my dell (xps 9560) does not behave that way - I have to enter bios and explicitly enable setup mode to enroll keys, and setup mode automatically switches back off once you enroll.

            • admin@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              4 months ago

              If you restore the BIOS to the default settings using the button on the left-most side in the BIOS, and then setup an Administrator password in the Security tab, you’d be able to verify yourself by using a Ventoy flash drive if you want.

              Also I feel is important to mention that your BIOS password for that one model of XPS you have can be reset by generating a master key, so I really recommend turning on an option that I cannot remember the name of from the tip of my tongue, but it disables the “master password”, with the disadvantage that if you forget your BIOS password you’d have to replace the motherboard. If I find the name I’ll link it right here.

              Edit1: The option is called Master Password Lockout.

              Edit2: Is worth noting also that resetting the BIOS to default settings and erasing your secure boot keys might render your system unbootable if you use Windows BitLocker.