Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature Request: Warn if media will no longer be bootable after Q1 2024. #2244

Open
4 of 10 tasks
rcmaehl opened this issue May 12, 2023 · 133 comments
Open
4 of 10 tasks

Feature Request: Warn if media will no longer be bootable after Q1 2024. #2244

rcmaehl opened this issue May 12, 2023 · 133 comments
Assignees
Labels

Comments

@rcmaehl
Copy link

rcmaehl commented May 12, 2023

Checklist

  • I looked at https://github.com/pbatard/rufus/wiki/FAQ to see if my question has already been answered.
  • I performed a search in the issue tracker for similar issues using keywords relevant to my problem, such as the error message I got from the log.
  • I clicked the 'Log' button or pressed Ctrl-L in Rufus, or used DebugView, and copy/pasted the log into the section that says <FULL LOG> below.
  • The log I am copying is the FULL log, starting with the line Rufus version: x.y.z - I have NOT removed any part of it.

Additionally (if applicable):

  • I ran a bad blocks check, by clicking Show advanced format options then Check device for bad blocks, and confirmed that my USB is not defective.
  • I also tried one or more of the following:
    • Using a different USB drive.
    • Plugging the USB into a different port.
    • Running Rufus on a different computer.
  • If using an image, I clicked on the (✓) button to compute the MD5, SHA1 and SHA256 checksums, which are therefore present in the log I copied. I confirmed, by performing an internet search, that these values match the ones from the official image.

Issue description

Due to changes to the Windows Boot Manager from CVE-2023-24932. Previously created boot media will no longer be able to boot once enforcement begins Q1 of 2024. If possible, detect this issue and provide a warning.

https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d#avoidissues5025885

Log

N/A

@Hrxn
Copy link

Hrxn commented May 12, 2023

Yikes...

Do I get that right, any official ISOs past a given date will be good, then?
But they have not released anything yet, right?

@pbatard pbatard self-assigned this May 12, 2023
@pbatard
Copy link
Owner

pbatard commented May 12, 2023

Aha, I was wondering how long Microsoft would try to swipe that CVE under the carpet until they had no choice but to take action.

If possible, detect this issue

Yeah, that's the major issue here. Microsoft have some kind of revocation list, but of course, they didn't make it downloadable as a standalone (because, why would they? Security through obscurity has always worked WONDERS for everybody....), so it's going to be a PITA.

and provide a warning.

I'll try to do that. But I'm not going to rush into it, and spend time that I don't have being a trailblazer. So I'm going to tag this as deferred for now.

@rcmaehl
Copy link
Author

rcmaehl commented May 12, 2023

Aha, I was wondering how long Microsoft would try to swipe that CVE under the carpet until they had no choice but to take action.

If possible, detect this issue

Yeah, that's the major issue here. Microsoft have some kind of revocation list, but of course, they didn't make it downloadable as a standalone (because, why would they? Security through obscurity has always worked WONDERS for everybody....), so it's going to be a PITA.

and provide a warning.

I'll try to do that. But I'm not going to rush into it, and spend time that I don't have being a trailblazer. So I'm going to tag this as deferred for now.

Sounds good! I mean there's essentially an entire year to work on this

@rcmaehl
Copy link
Author

rcmaehl commented May 22, 2023

Looks like checking for

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot\AvailableUpdates dword >= 0x10 may work. I'll need to apply the revocation steps myself later to verify that the registry value doesn't change after applying the list.

@pbatard
Copy link
Owner

pbatard commented May 22, 2023

I saw the registry key, but I don't think it's enough, because it only tells if the current machine might have been upgraded to reject old MS bootloaders, but not if the ISO contains one.

In other words, if we only check for the registry key, we will warn the user regardless of whether the ISO they selected uses an old or new bootloader, whereas we obviously don't want to warn about ISOs that use the new bootloaders.

So, again, to properly display the warning, we need to check the bootloader's hash against the revoked hashes.

From my understanding, the registry key is just a switch to tell the system to update the UEFI revocation list with the hashes of the old bootloaders since, understandably, Microsoft does not yet want to apply revocation wholesale and leave users booting older Windows ISOs facing a Secure Boot validation error. They only want to do that for users who opt-in.

Now, another potential workaround I am considering, provided we can actually download the new bootloaders from Microsoft's servers without having to extract a whole ISO (the issue being that I can't just store a copy of these bootloaders on a server somewhere for Rufus to download, without committing copyright infringement, so we have to hope that they're in a small enough .cab/.msi downloadable directly from Microsoft) would be for Rufus to replace the old soon-to-be-revoked bootloaders with the new non-revoked version, since these should be fully interchangeable.

The problem with this workaround however is that this would potentially only work for the initial USB boot (pre-installation phase) and not for the post file-copy (re)boot, as my current assumption is that during initial file copy, Microsoft picks the bootloaders from install.wim/install.esd rather than the ones from the USB (if you look at the wim/esd you'll find bootmgr.efi in Windows\Boot\EFI\), and therefore we'd have to replace them there for things to work, which will be very costly as manipulating the full >4 GB .wim is a very time consuming operation. If we are lucky however, the bootmgr.efi Microsoft installs in the file copy phase is the one found in boot.wim, which, on the other hand, we should be able to replace, as we are already performing boot.wim image manipulation to add the registry keys for the TPM/Secure Boot bypass, and thus, changing a file there would be a no brainer (well, except for people who get Rufus from the Windows Store, because the Windows Store version cannot mount .wim files, so users there will be screwed).

I am obviously planning to test this when I have a chance (which may not be before a couple of month or worse) and when I have upgraded a system to the new revoked hashes (which I will need to do carefully and make sure to keep a copy of the revocation list before and after, since I need to isolates these bloody hashes that Microsoft SHOULD provide publicly but, no matter where I looked so far, doesn't!)...

@stdin82
Copy link

stdin82 commented May 23, 2023

and when I have upgraded a system to the new revoked hashes (which I will need to do carefully and make sure to keep a copy of the revocation list before and after, since I need to isolates these bloody hashes that Microsoft SHOULD provide publicly but, no matter where I looked so far, doesn't!)...

https://uefi.org/revocationlistfile
https://uefi.org/sites/default/files/resources/dbx_info.csv

@pbatard
Copy link
Owner

pbatard commented May 23, 2023

Aha! Since we're talking about an upcoming revocation, and Microsoft is the sole entity that controls the revocation list, I didn't think they would have started to add DBX entries prior to Q1 2024, since it means that we're definitely going to see Secure Boot validation errors with Windows media long before that date (because motherboard manufacturers are not going to cherry pick what goes in the DBX they apply but pick the most recent).

Their process to decide whether a bootloader should be flagged as vulnerable or not is less than straightforward though, per https://uefi.org/sites/default/files/resources/dbx_release_info.pdf:

The following is a summary of Microsoft’s revocation techniques used for the Black Lotus vulnerability:
• Boot Managers from Windows 8 to Windows 10, version 1507: revoked by DBX entries
• Boot Managers from Windows 10, version 1507 to Windows 10, version 1607: revoked by hash by SKU SiPolicy
• Boot Managers from Windows 10, version 1703 to today: revoked by version number by SKU SiPolicy

So, we do not have a complete list of hashes of vulnerable bootloaders, and we're going to have deal with this mess to decide whether a bootloader has been revoked or not, which, and I very much hope I can be proved wrong here, Microsoft is providing no explicit details about. Especially, it does not say what version numbers are being revoked, and it is also my impression that the hashes revoked by SKU SiPolicy are not in the UEFI CSV...

@pbatard
Copy link
Owner

pbatard commented May 23, 2023

Indeed, Microsoft explicitly state here:

We have released the DbxUpdate.bin file for this issue on UEFI.org. These hashes include all revoked Windows boot managers released between Windows 8 and the initial release of Windows 10 that do not respect the Code Integrity Policy.

So, everything that is meant to be rejected after Windows 10 1507 has not been made public by Microsoft, and, as much as I'd very much like it to be otherwise, my initial comment about Microsoft not publishing information that they should provide still stands (and is made worse by the fact that we can't just rely on getting our hands on a list of hashes).

@pbatard
Copy link
Owner

pbatard commented May 23, 2023

I guess the other option we have, since we're going to have to deal with a version whatershed anyway, is to not bother with hashes and just check the version number from the EFI bootloader to display a warning if it's anything below the 22H2 v2's version (which appears to be 10.0.2261.1702 vs 10.0.2261.1 for 22H2 v1). Of course it would be nice to have the actual version that acts as the separator from Microsoft themselves...

Note that there is an additional SECURITYVERSION variable in the resource file of the EFI bootloaders, which is probably tied to the new SiPolicy feature, but for those who might be wondering if the 2.0.0.2 VersionEx referenced here has anything to do with the actual version filtering, and could be used against SECURITYVERSION, that latter variable is set to 1.0.0.0 in all the bootloaders I see, and considering that the UEFI variable is described as Set’s the code integrity boot policy version, it seems to be more about defining the minimum version of the SiPolicy environment than defining the actual minimum version of the bootloaders that should be rejected (else, I'd expect Microsoft to describe it as Sets the minimal version of bootloaders accepted by the boot policy). In short, this seems to be a version number that applies when you want to replace a an existing SkuSiPolicy.p7b and not something that give us a precise idea of the bootloader version below which a EFI bootloader should be considered vulnerable.

@pbatard
Copy link
Owner

pbatard commented May 23, 2023

Interestingly, if we need to download a bootmgfw.efi replacement, we may end up using the same method as the actual Black Lotus malware (See "1. An installer deploys files to the ES") to download the file from Microsoft by fetching the executables straight from https://msdl.microsoft.com/download/symbols/.

It does seem however that Microsoft might have taken steps to try to prevent these kind of downloads as I can't seem to manage to get this to work.

For instance, the following to retrieve a PDB will work just fine (symbols for the latest bootmgfw.efi from 22H2 v2 ISOs):

wget -c -U="Microsoft-Symbol-Server/10.0.0.0" https://msdl.microsoft.com/download/symbols/bootmgfw.pdb/F2B888C9A171A1FC2F9587649411BFD12/bootmgfw.pdb

But trying to do the same for the associated binary, which should resolve to https://msdl.microsoft.com/download/symbols/bootmgfw.efi/B647817D2ba000/bootmgfw.efi and should be served in the same manner as the PDB by Microsoft's symbol servers, just doesn't seem to work (and the same is true for a similar-but-not-the-exact-same URL that Black Lotus uses to download its own bootmgfw.efi, though of course, we want to be careful relying on this one to tell us anything as Microsoft may have deliberately chosen to remove it to stop the spread of the malware).

Using the same method I used to generate the bootmgfw.efi URL for notepad.exe (method is basically described here) yields https://msdl.microsoft.com/download/symbols/notepad.exe/E798EFB45a000/notepad.exe which downloads just fine through wget -c -U="Microsoft-Symbol-Server/10.0.0.0"

Goddammit, this is so annoying! What the hell does one have to do (besides becoming a full blown malware author) to be able to download a simple executable from Microsoft??

@pbatard
Copy link
Owner

pbatard commented May 23, 2023

Even more interestingly, since it appears that we can easily download Windows 8.1's diskcopy.dll from https://msdl.microsoft.com/download/symbols/diskcopy.dll/54505118173000/diskcopy.dll, that Black Lotus trick may help us restore the MS-DOS installation functionality, that we had to remove from Windows 10 or later on account that Microsoft had removed this DLL (which contains a full blown MS-DOS floppy disk image) from recent Windows version. 😉

@pbatard
Copy link
Owner

pbatard commented Jun 2, 2023

Gotta also leave https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d#updatebootable5025885 here. Of course, it would be A LOT better if Microsoft did bother to check the "content" they provide an have an actual working hyperlink for:

If you use a bootable disk image (ISO), a CD-ROM, or DVD media, update the media by following the instructions here.

In short, Microsoft needs to provide a direct download for the non-vulnerable bootmgfw.efi for all archs, if they want their efforts against Black Lotus to be taken seriously, because they have to consider the case of customers updating boot media for a different arch than the current system (e.g. ARM64 from x86_64) that doesn't force folks to go through a full blown multi GB ISO/ESD download just to extract a 2 MB file...

@pbatard
Copy link
Owner

pbatard commented Jun 6, 2023

What a load of crap this whole thing is!

So I updated a system following the 3. APPLY the revocations steps from Microsoft, doing everything as described (double reboot, wait 5 minutes, confirm in Event Viewer that there's an entry that says that DBX has been updated) and then created a Windows 8.1 bootable media (from en-gb_windows_8.1_with_update_x64_dvd_4048142.iso, SHA-1 1F18420D65956DFE56E2359DA71AB6C363146570), fully expecting Secure Boot to produce a validation error, as indicated by Microsoft... but the media boots just fine in a Secure Boot environment...

So much for:

• Boot Managers from Windows 8 to Windows 10, version 1507: revoked by DBX entries

Unless both Microsoft and Linux are lying, my system should have the latest DBX applied:

root@debian:~# fwupdmgr get-devices
(...)
├─System Firmware:
│ │   Device ID:          a45df35ac0e948ee180fe216a5f703f32dda163f
│ │   Summary:            UEFI ESRT device
│ │   Current version:    53
│ │   Minimum Version:    53
│ │   Vendor:             Intel(R) Client Systems (DMI:Intel Corp.)
│ │   Update State:       Success
│ │   GUIDs:              f4cd40f8-4947-4069-bd4d-d5987adefc79
│ │                       230c8b18-8d9b-53ec-838b-6cfc0383493a ← main-system-firmware
│ │   Device Flags:       • Internal device
│ │                       • Updatable
│ │                       • System requires external power source
│ │                       • Needs a reboot after installation
│ │                       • Cryptographic hash verification is available
│ │                       • Device is usable for the duration of the update
│ │
│ └─UEFI dbx:
│       Device ID:        362301da643102b9f38477387e2193e57abaa590
│       Summary:          UEFI revocation database
│       Current version:  423
│       Minimum Version:  423
│       Vendor:           UEFI:Linux Foundation
│       Install Duration: 1 second
│       GUIDs:            c6682ade-b5ec-57c4-b687-676351208742 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503
│                         f8ba2887-9411-5c36-9cee-88995bb39731 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503&ARCH_X64
│       Device Flags:     • Internal device
│                         • Updatable
│                         • Needs a reboot after installation
│                         • Device is usable for the duration of the update
│                         • Only version upgrades are allowed
│                         • Signed Payload
(...)

And I can tell that Secure Boot is really enabled and enforcing validation, since I do get a big fat Secure Boot validation error when I try to boot the unsigned UEFI Shell...

Someone, somewhere, is not telling the truth...

@stdin82
Copy link

stdin82 commented Jun 8, 2023

Maybe the efi files from that iso are not revoked?
i checked SHA-256 of bootx64.efi & bootmgfw.efi from en_windows_8.1_with_update_x64_dvd_6051480.iso, they are not listed in dbx_info.csv

@pbatard
Copy link
Owner

pbatard commented Jun 8, 2023

i checked SHA-256 of bootx64.efi & bootmgfw.efi from en_windows_8.1_with_update_x64_dvd_6051480.iso, they are not listed in dbx_info.csv

The thing is, if you try to lookup plain SHA-256's in the CSV, from a revoked executable, you will not find it either.

That's because the "flat" SHA-256's provided by Microsoft are not the SHA-256 you get by computing the hash for the whole file (because, of course, that would be too straightforward, and who wants to be straightforward and non-obtuse when dealing with matters of security...), but the hash you get by Frankenstein's Monstering only a selection of sections from it (and, yeah, technically, that might make sense as the Secure Boot signature does not apply to all the PE data in the first place, so one could defeat the DBX by altering one of these sections, as they wouldn't invalidate the signature, but would change the hash from the DBX, though I would counter with WHO IN THEIR RIGHT MIND DECIDED THAT HASHING A FILE FOR FRIGGING DIGITAL SIGNATURE VALIDATION SHOULD NOT BE ON THE WHOLE ORIGINAL SOURCE BINARY BUT INSTEAD ON SECTIONS CHERRY PICKED AT RANDOM?!? HOW HARD WOULD IT HAVE BEEN TO DESIGN A NEW PE CONTAINER EXTENSION THAT COULD EMBED THE ORIGINAL BINARY WHOLESALE + DIGITAL SIGNATURE INTO A SIGNED PE FILE INSTEAD OF THIS COMPLETE SECURITY ABOMINATION THAT ULTIMATELY FORCES EVERYONE TO HAVE DEAL WITH THIS MICROSOFT INDUCED BULLSHIT?). So, if all you have is a EFI binary, and you want to find out if it's in the Microsoft published DBX, well, better be ready to code your own SHA-256 hashing application, because good luck finding a standalone SHA-256 computation application that can deal with the intricacies of PE hashing for Secure Boot...

Thankfully, after much searching and sieving through bullshit, I found that the obscure PE256 value that Microsoft also does provide in the CSV is actually the SHA-256 "hash" that Get-AppLockerFileInformation reports when you feed it a Secure Boot signed UEFI executable.

For instance, if you issue Get-AppLockerFileInformation bootx64.efi from PowerShell for the bootx64.efi of en-gb_windows_8_x64_dvd_915412.iso, you get Hash: SHA256 0xCF7F9E7D091023A1A1C3F5CBF7DDACF7B18F03A4D07961F71506FE9DF4388EEE, and you will find that this last value is in the CSV under PE256, whereas the standard SHA-256 for that file is BEA5931767DCA4C46EF7D6AD73E6913A592860138D3FC82056289B8DFF337940 and does not match the 196243A87389B47FC9033AF3884F3FF0A5C891D80E22C82D2ECD5B9A3434186E SHA-256 that Microsoft expects for that file in the CSV.

All this to say that, whereas Microsoft were supposed, and have indicated, that all their Windows 8, 8.1 and 10 UEFI bootloaders prior to 1507 should have been entered in the DBX, the bootx64.efi from en-gb_windows_8.1_with_update_x64_dvd_4048142.iso certainly has not been, because its PE256, as computed by Get-AppLockerFileInformation is CD2CFDA64B9D6DB3CA88D27B3F90453ABCD842844A3B45696B90BE54E58AAE04, and that value is NOT in the bloody DBX.

And I guess that, now that you know how to validate whether a Windows UEFI bootloader executable is in the DBX, you too can play the game of "What other bootx64.efi/bootmgfw.efi did Microsoft forgot to register for DBX exclusion when they said it should be excluded?

Oh and incidentally, trying to boot a USB media created from en-gb_windows_8_x64_dvd_915412.iso on my updated test machine does produce a Secure Boot security violation as expected...

@stdin82
Copy link

stdin82 commented Jun 8, 2023

I see
the standard SHA-256 of bootmgfw.efi (both x86/x64) from Windows 8.1 update KB3084905 are listed though, and Get-AppLockerFileInformation result match the listed PE256 Authenticode

neither values are listed for 6051480.iso files

the list might have glitches, or they forgot to revoke some files

@pbatard
Copy link
Owner

pbatard commented Jun 8, 2023

Yeah, my worry here is that those missed EFI bootloaders, which the DBX does let through (it's not a list issue, it's a DBX issue, as I did validate that these bootloaders are being let through on a fully updated system), might be compatible with newer Windows (whilst ignoring the SKUSiPolicy.p7b which is how Windows 10 1507+ bootloaders are being filtered out), meaning that the Black Lotus team may just have to install one of these, and folks who went through all the steps to prevent Black Lotus might still get infected with Black Lotus regardless...

@pbatard
Copy link
Owner

pbatard commented Jun 8, 2023

Note: I have just e-mailed the UEFI Forum administrators as well as the Microsoft Secure Boot signing team with my concerns about these missing Windows 8.1 bootloaders from the DBX.

Oh, and for the record, these bootloaders were built in 2014.03, and look a bit too early to have benefited from the post 2015.07 revocation features...

UPDATE: On advice from Microsoft, I have also created a new vulnerability report (VULN-102832) at https://msrc.microsoft.com/report/vulnerability.

@pbatard
Copy link
Owner

pbatard commented Jun 9, 2023

A few more random notes, for those who might be interested in this whole thing:

  1. If you copy %systemroot%\System32\SecureBootUpdates\SKUSiPolicy.p7b to the efi\microsoft\boot\ directory of boot media created from a post 1507, pre 2305 Windows ISO (tested with a Windows 10 1703 bootable USB created with Rufus), you get the expected Microsoft equivalent of a Secure Boot Security Violation with the Recovery screen below, with a The digital signature for this file could not be verified / Error code: 0xc0000428 message:
    Sany4910
  2. In an unexpected Microsoft did the right thing for once, it appears that the SKUSiPolicy.p7b file is universal, which means that the version you get from an x86_64 Windows installation contains the revocations for ARM64, and vice versa. This is of interest to us if we plan to automatically add SKUSiPolicy.p7b to Windows media created by Rufus (see below).
  3. Windows 7 has never been Secure Boot compatible (the bootloaders are signed by Microsoft... but not with the UEFI Secure Boot credentials), so there's no need to revoke anything there as you'll get a Security Violation regardless.
  4. It appears that Microsoft Hyper-V looks at the host system's SKUSiPolicy.p7b to check if the UEFI bootloader should be trusted, meaning that, even if the virtual disk you boot from does not have an SKUSiPolicy.p7b present, you will get a standard Secure Boot Security Violation (rather than the 0xc000042 Recovery screen) if that bootloader happens to have been revoked in the host's SKUSiPolicy.p7b.
  5. Adding SKUSiPolicy.p7b to USB media created from the en_windows_8.1_with_update_x64_dvd_6051480.iso or en-gb_windows_8.1_with_update_x64_dvd_4048142.iso ISOs (the two Windows 8.1 ISOs whose bootloaders appear to have been "forgotten" by Microsoft for exclusion) still results in media that boots in an updated system, meaning that Microsoft did not voluntarily exclude these bootloaders from the DBX on account that they were modern enough for SKUSiPolicy.p7b to apply...

At this stage, considering that trying to secure systems of unaware users is something that applications should strive for (rather than let unaware users potentially get infected through known easily patchable security holes), I am planning to have Rufus automatically copy the system's SKUSiPolicy.p7b to the boot media when a efi\microsoft\boot\ is detected there and either SKUSiPolicy.p7b does not exist, or one exists but it is older than the system's.

My reasoning is that, in an ideal world, all the bootloaders for which SKUSiPolicy.p7b applies would have been added to the DBX, but they haven't been because the DBX is actually running out of space and Microsoft (as well as the Shim folks) devised alternate methods that mirror what the DBX does without actually using the DBX. So, in an ideal world, these Microsoft bootloaders should generate a Security Violation on up to date Secure Boot enabled systems regardless of whether a SKUSiPolicy.p7b exists or not, and we really don't want users to get the idea that everything is fine and dandy when they are booting a media that is known to be potentially problematic and/or used as vector of infection. Especially, it needs to be hammered to users that, if they get a Security Violation and still want to boot that media, they can always disable Secure Boot. But then that decision to boot known insecure bootloaders becomes their explicit choice and is not something they'll be able to dismiss with a "Well, I didn't know I was potentially putting my system at risk..."

And this is where we might for once be helped by SKUSiPolicy.p7b appearing to be universal, as my one worry was that trying to use the SKUSiPolicy.p7b from an x86_64 system to create an ARM64 boot media would leave that ARM64 media open, on account that Microsoft may have chosen to produce arch-specific SKUSiPolicy.p7b's...

@stdin82
Copy link

stdin82 commented Jun 10, 2023

Doesn't KB5025885 article state that SKUSiPolicy.p7b should not be copied to the boot media (ISO, USB, DVD..)?

@pbatard
Copy link
Owner

pbatard commented Jun 10, 2023

Doesn't KB025885 also not provide any instructions on how one should update ISO/USB/DVD media ("update the media by following the instructions here." with no hyperlink)?

Again, there are no two ways of going on about bootloaders that should be revoked because they can potentially be used to infect one's system: They must be filtered out with an obvious security violation on a Secure Boot enabled system, so that users are clear about what they are about to do.

Now, of course, in a context where you either created your own media (which is the context of the KB) or you are using media that came from Microsoft themselves, it does make little sense to try to filter the bootloaders because that media should be considered safe, and SKUSiPolicy.p7b should be applied to the installed system either directly (post 2305 images) or through Windows update pre (2305). Plus, because that statement is extraordinarily "blanket" and does not provide even a hint of why, I'm half convinced that this note is really about not copying SKUSiPolicy.p7b to media that use non Microsoft bootloaders (such as GRUB, etc).

However, in the context of Rufus, I have no way of telling if the source media is safe (and I am not going to add a very costly SHA-1 validation to check for retail ISOs, especially as a lot of folks are going to use MCT ISOs anyway which should be considered safe but cannot be validated for safety). Furthermore, the creation of boot media using Rufus from a Black Lotus infected ISO (or a Black Lotus derivative) is a real scenario that I expect to happen, so, again, I do want users to make their own explicit decision (especially if they are using dodgy-sourced ISOs) when it comes to potentially lowering the security of their system as well as nudge them towards using a more up to date ISO. And, yeah, I am well aware this will annoy a lot of people, but that's how security works, and the minute you attempt to compromise security for convenience (which, IMO, is what Microsoft are doing by not advising people to copy SKUSiPolicy.p7b to post 1507 bootable media), you lose security.

So, I am just going to re-state what I just said above, regardless of what Microsoft states (who, as we have seen, are not impervious to botching security): In an ideal world, all the Microsoft EFI bootloaders prior to 2305 should have been added to the UEFI DBX and should generate a Security Violation in a Secure Boot enabled environment. As such, so that the majority of users remain safe, especially if they are using ill-sourced ISOs, I want Rufus to create media that behaves as close as possible to that ideal situation, and this entails going against Microsoft's "recommendations" and copying the system's SKUSiPolicy.p7b to the media.

@pineapple63
Copy link

4. It appears that Microsoft Hyper-V looks at the host system's `SKUSiPolicy.p7b` to check if the UEFI bootloader should be trusted, meaning that, even if the virtual disk you boot from does not have an `SKUSiPolicy.p7b` present, you will get a standard Secure Boot Security Violation (rather than the `0xc000042` Recovery screen) if that bootloader happens to have been revoked in the host's `SKUSiPolicy.p7b`.

Seems as though Microsoft Surface devices also look at that file to decide what should trigger a secure boot violation
Just now i was doing some experementing with a Surface Go 3 (which i have applied the revocations to, its the same device that i made the discovery with microsofts annoying "more secure than normal secure boot" thing), i downloaded the latest recovery image for it, only to find that microsoft hadn't released an updated (post 9th of May) recovery image, the files in the image were showing as last modified in April (so out of curiosity i tried booting the image (which i copied to a USB, as the recovery images are supplied as a ZIP file), and with secure boot enabled (both "Microsoft only" and standard secure boot settings), it was doing exactly what it does for a secure boot violation, it only booted when i temporarally disabled secure boot (and yes, i did re-enable secure boot afterwards))

@pbatard
Copy link
Owner

pbatard commented Jun 12, 2023

@pineapple63, thanks for the report.

That's actually part of the reason why I think Microsoft's "advice" about not copying SKUSiPolicy.p7b to Windows bootable media is something that can/should safely be ignored, because if you don't copy that file then any non-Microsoft machine you boot from will pretend that everything is fine and dandy, whereas, on Microsoft controlled hardware, be it virtual or real, if you boot the same media, even without SKUSiPolicy.p7b, you get an explicit UEFI Security Violation.

So, clearly, Microsoft, in its actions (rather than in its words) is telling us that any of their pre 2305 EFI bootloaders should generate a Security Violation. And the only way to get that on non-Microsoft controlled hardware, for post 1507 media, is to manually copy the system's SKUSiPolicy.p7b, which is why, if there's no other possibility (such as replacing pre 2305 bootloaders with more recent ones, which, even if we were to have direct download access to such bootloaders from Microsoft, is not guaranteed to be viable if we also have to replace these bootloaders in install.wim), I am planning to do just that in Rufus...

@pbatard
Copy link
Owner

pbatard commented Jun 13, 2023

Update from Microsoft with regards to the missing DBX entries MSRC case:

Thank you again for reporting this behavior. Microsoft is working on a comprehensive fix that will update the DBX to include additional boot loaders. However, due to the complexity of the fixes involved, we are targeting January 2024 for the next update.

So, yeah, they acknowledged that their DBX update is currently incomplete, which I'm going to assume means that you might still be able to get infected by Black Lotus, on a fully up to date system, until January 2024...

@pbatard
Copy link
Owner

pbatard commented Jun 14, 2023

Tonight, on the ongoing saga of whatever the heck Microsoft is doing to try to mitigate Black Lotus we attempt to take a closer look at:

• Boot Managers from Windows 10, version 1507 to Windows 10, version 1607: revoked by hash by SKU SiPolicy

The idea is that, since I am planning to detect EFI bootloaders that have been revoked by the DBX in Rufus and warn the user about them (hence why I just added PE256 hash support), I also wouldn't mind being able to do that for bootloaders that have been revoked in the .p7b.

That's because, as one would expect, SKUSiPolicy.p7b does contain a bunch of hashes, which you can plainly see by looking at the binary and also can (more or less) nicely convert to the kind of Security Policy XML file they fed to WDAC Wizard to create the .p7b.

You can download the converted XML below:
SKUSiPolicy.zip

Allegedly, all of the ID_DENY_D_#### hashes you can see in the file are the PE256's of the Windows 10 'bootloaders' that Microsoft wants to flag (that sure is a lot for just 1 year of Windows 10 releases, even if you factor in that it's for x86_32, x86_64, ARM64 and(?) ARM. Oh, and don't ask me why some of these hashes are duplicated: it's the .p7b that's duplicating them)... except none of these hashes appear to match the PE256 of Windows 1511's bootx64.efi or bootmgr.efi and I did find some information that, yes, it is really a PE256 that is being used in the .p7b, so it's not a matter of using the wrong hash algorithm (by the way, if you want to compute the PE256 without using PowerShell, I found that you can also use sigcheck with option -h).

Soooo, the question now becomes: What the hell is Microsoft hashing then???

I guess it makes a modicum of sense that Microsoft would not use the EFI hashes, since SKUSiPolicy.p7b is actually referenced from these bootloaders and ideally anything EFI that should be revoked should be handled by the DBX, though of course, if the point is to spare space of the DBX, then by all means WDAC revocation policies should start at the EFI level, including the EFI bootloader that performs WDAC denial.

I have tried to see if winload.exe from boot.wim was the file being hashed, since it's allegedly the first exe that gets executed after exiting EFI, but this appears not to be the case either. And I haven't found any .exe/.dll/.efi on en_windows_10_multiple_editions_version_1511_x64_dvd_7223712.iso itself with a PE256 that appears in SKUSiPolicy.p7b.

So, if anyone wants to pick a post 1507 pre 1607 Windows 10 ISO to play the "What the hell is Microsoft actually hashing in SKUSiPolicy.p7b?" game, feel free to join the "fun"...

@stdin82
Copy link

stdin82 commented Jun 14, 2023

1607 ISO is the oldest i still keep 😀
and i did find PE256 hash for bootx64.efi / bootmgfw.efi / bootmgr.efi in SKUSiPolicy.xml

@pineapple63
Copy link

Been using a 1511 ISO, and haven’t had any luck so far

(And i did verify my Surface Go 3 rejects that ISO when extracted to a USB drive (i copied the files across manually, rather than using Rufus), and in the process of verifying that i screwed up, i wanted to make sure it booted with secure boot turned off, and the device froze when i did that, after force powering it off, and re-enabling secure boot, i was met with a bitlocker recovery screen)

@pbatard
Copy link
Owner

pbatard commented Jun 15, 2023

Goddammit! Why do I always pick the ISOs that Microsoft forgot to add to their deny list?

Can confirm that en_windows_10_multiple_editions_version_1607_updated_jan_2017_x64_dvd_9714399.iso contains bootx64.efi / bootmgr.efi that are in the SkuSiPolicy list. But en_windows_10_multiple_editions_version_1511_x64_dvd_7223712.iso or en_windows_10_multiple_editions_version_1511_updated_feb_2016_x64_dvd_8379634.iso don't.

The thing is, since I wasn't sure whether Microsoft's list was inclusive or not, I deliberately picked 1511 as the "safer" bet, since it's right between 1507 and 1607. And I tested multiple 1511 ISOs I had.

So, once again, it looks like Microsoft screwed up their Black Lotus filtering, even though, in the case of SkuSiPolicy, they don't have to worry about limiting the bootloaders they pick so as not to run out of space.

I sure am starting to grow tired of having to tell Microsoft how to do their job. But at any rate, many thanks to @stdin82 for finding at least one ISO that Microsoft did properly filter out...

@pbatard
Copy link
Owner

pbatard commented Aug 18, 2024

It seems that, after removing the file altogether, the latest patch tuesday update applied a new SKUSiPolicy.P7b (In C:\Windows\System32\SecureBootUpdates), though this new one doesn't seem to have hash revocations yet:

Found 0 additional revoked UEFI bootloaders from this system's SKUSiPolicy.p7b

Oh and in other news, it seems that Microsoft now has an optional(?) KB update (KB5041160) Microsoft introduced a mandatory update in their latest patch Tuesday (KB5041585) where they update the SBAT to prevent any pre 2024.04 Linux Shim from booting due to a vulnerability that I have not been able to clearly identify (I assume it's for RHSA-2024:2086 which contains CVEs that were privately reported in 2023 but only publicly disclosed and fixed in late April 2024). I have now been able to confirm that a Ubuntu 20.04 bootable media fails to boot with Verifying shim SBAT data failed: Security Policy Violation on fully up to date Windows 11 23H2 systems. I guess I'm going to need to create an entry for this in the FAQ, while I ponder on whether I should try to add SBAT checks in Rufus to try to alert users like we try to do for Windows bootloaders...

@pineapple63
Copy link

pineapple63 commented Aug 18, 2024 via email

@pineapple63
Copy link

With the SBAT update, it appears to affect Windows 10 as well
From what i understand, Windows will not apply the update if it detects a linux installation on the computer (for the time being at least)

pbatard added a commit to pbatard/Mosby that referenced this issue Sep 15, 2024
…N based revocation

* See https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d
  as well as pbatard/rufus#2244 (comment).
* Note that dbx_update_2024_all.bin contains an ESL with an SVN update, but dbx_update_2024_svn.bin
  bumps MinimumAllowedVersion from 0x020000 to 0x030000 so both need to be applied.
* Also, since dbx_update_2024_all.bin tags 'Microsoft Windows Production PCA 2011' as explicitly
  revoked, and we were planning to remove it anyway, we obviously no longer add it in our DB data.
* Also update the signed ESL check in pki.c to account for databases with multiple ESLs.
@pbatard
Copy link
Owner

pbatard commented Sep 19, 2024

Sooooo... from my testing, it appears that the installation of the Windows UEFI CA 2023 bootloaders described in KB5025885 only works if Secure Boot is enabled, which, if confirmed, is a brand new kind of stupid, even by Microsoft's standards.

What this means is that, if you happen to manually revoke the Microsoft Windows Production PCA 2011 outside of a Windows environment (because, I don't know, maybe you don't want a Windows UEFI bootloader vulnerability to be used to exploit your non-Windows system, or just want to proceed to your own DB/DBX updates in a UEFI environment) and then happen to install or reinstall (or even try to boot an existing) Windows on the same system, then instead of just being able to proceed with Secure Boot temporarily disabled, until the new 2023-signed bootloaders get installed, and you can just turn Secure Boot back on again, you are left with no choice but to reinstall the obsolete 2011 certificate in the Secure Boot DB, then boot Windows with Secure Boot enabled, so that you can make the shortsighted Microsoft registry trick work, that performs the update of the Windows bootloader to their 2023 signed version but only when Secure Boot is enabled (which, again, pretty much defeats the whole point of being able to update Secure Boot bootloaders if your current bootloaders are screwed and you had to disable Secure Boot as a direct result). And then you can go back to removing the obsolete 2011 cert yet again from the DB, as well as adding it to revoked the DBX list.

And yes, I tried multiple reboots, as advertised, but only got the bootloaders when Windows was running in a Secure Boot enabled environment. So, congrats Microsoft! You have found a new innovative way to add an completely unnecessary hoop to a procedure that already requires jumping through a whole slew of them...

2026, where the 2011 certificate ceases to be valid altogether (and where Microsoft will be left with no choice but to make things work with the 2023 cert by default) really cannot come soon enough. Besides, if we're lucky, maybe Microsoft will have figured a KB5025885 that isn't full of holes by then...

@Meyers07
Copy link

Meyers07 commented Sep 20, 2024

Sooooo... from my testing, it appears that the installation of the Windows UEFI CA 2023 bootloaders described in KB5025885 only works if Secure Boot is enabled, which, if confirmed, is a brand new kind of stupid, even by Microsoft's standards.

What this means is that, if you happen to manually revoke the Microsoft Windows Production PCA 2011 outside of a Windows environment (because, I don't know, maybe you don't want a Windows UEFI bootloader vulnerability to be used to exploit your non-Windows system, or just want to proceed to your own DB/DBX updates in a UEFI environment) and then happen to install or reinstall (or even try to boot an existing) Windows on the same system, then instead of just being able to proceed with Secure Boot temporarily disabled, until the new 2023-signed bootloaders get installed, and you can just turn Secure Boot back on again, you are left with no choice but to reinstall the obsolete 2011 certificate in the Secure Boot DB, then boot Windows with Secure Boot enabled, so that you can make the shortsighted Microsoft registry trick work, that performs the update of the Windows bootloader to their 2023 signed version but only when Secure Boot is enabled (which, again, pretty much defeats the whole point of being able to update Secure Boot bootloaders if your current bootloaders are screwed and you had to disable Secure Boot as a direct result). And then you can go back to removing the obsolete 2011 cert yet again from the DB, as well as adding it to revoked the DBX list.

And yes, I tried multiple reboots, as advertised, but only got the bootloaders when Windows was running in a Secure Boot enabled environment. So, congrats Microsoft! You have found a new innovative way to add an completely unnecessary hoop to a procedure that already requires jumping through a whole slew of them...

2026, where the 2011 certificate ceases to be valid altogether (and where Microsoft will be left with no choice but to make things work with the 2023 cert by default) really cannot come soon enough. Besides, if we're lucky, maybe Microsoft will have figured a KB5025885 that isn't full of holes by then...

Easier and in short is that (according to pbatards own FAQ) consider Secure Boot being overrated (especially how Microsoft's attempt to fix the so called Blacklotus only closes the avenue of using non-stock Windows installations and even also Linux) and that if the user wants to install non stock OS (including using Rufus features and dual booting Linux) the user would have to turn Secure Boot off in order to make it work.

If Secure Boot is really necessary then consider turning it on only if additional booting operations that are manually supervised (like installing OS) aren't done. Especially how (apparently) secure boot can be toggled in an "in-place" OS installations without errors.

Blacklotus also requires physical access in order to exploit it though it is said that remote access (something that normally is not enabled) is possible.

Good thing that apart from Valorant, there's no mandatory Secure Boot requirement for running apps, including critical ones.

@pbatard
Copy link
Owner

pbatard commented Sep 20, 2024

(according to pbatards own FAQ) consider Secure Boot being overrated

Then you misread the FAQ. I'm not in any way saying that Secure Boot is overrated. The idea of being able to whitelist and/or blacklist bootloaders, and make sure that there is some accountability as to what bootloaders can get through by default is one that I am 100% behind. And that is essentially what Secure Boot is (or, as it should really be called, Bootloader Signature Enforcement, since I consider "Secure Boot" to be a promise that cannot really be delivered, as well as false advertisement, but in that case I am talking about the name and not the mechanism, because, as with any part of security matters, the best you can ever hope to do is mitigate rather that promise/imply an absolute).

What I am saying, however, is that Microsoft's unchallenged stewardship of the Secure Boot signing process has been disastrous, since Microsoft has been abusing and continues to abuse the power that was granted to them by the UEFI Forum (and I'm not talking only about their no GPLv3 Secure Boot signing stance - their T&C on who can download and redistribute UEFI DBX are also clear unwarranted abuse of power). We're not even really talking about BlackLotus remediation here, since default Secure Boot, on its own, should have been enough to filter out BlackLotus vulnerable bootloaders... had Microsoft not decided that they should have free reign with what they sign and apparently decided to release a new signed Windows UEFI bootloader every other week which, very expectedly, came to bite them right in the ass the entirely foreseeable day where it was discovered that all these bootloaders that were released prior to a certain date were vulnerable and needed to be revoked. Or maybe this is an illustration of abuse of power because, when you are a diligent steward, and you know that there (might) exist a ceiling to the number of bootloaders that can be revoked through the standard revocation mechanism of Secure Boot, you either limit the number of bootloaders you release, or you work with the UEFI Forum to expand on the revocation mechanism (and avoid everybody and their grandma to come up with their own version of SBAT, even if I have to concede that Microsoft's last entry here, that (ab)uses the DBX, has to be the one I prefer... though of course the only reason Microsoft are able to do that is because they are the only ones assured to have a KEK certificate that lets them update the DBX).

So, to reiterate my stance: I am 100% for Secure Boot (even if it's a misnomer). I'd like nothing more than everybody to use Secure Boot. But I am 100% against the signing process (and DBX update process) being in the hands of one entity who has demonstrated time and again, that they should not be left in control of it...

Also the requirement for physical access does not diminish the vulnerability. Else, you might as well say that having a lock screen on your phone is pointless, since it's "merely" a protection against physical access, and exploitation that requires physical access is not that dramatic (which I am interpreting as one of your argument).

@Meyers07
Copy link

(according to pbatards own FAQ) consider Secure Boot being overrated

Then you misread the FAQ. I'm not in any way saying that Secure Boot is overrated. The idea of being able to whitelist and/or blacklist bootloaders, and make sure that there is some accountability as to what bootloaders can get through by default is one that I am 100% behind. And that is essentially what Secure Boot is (or, as it should really be called, Bootloader Signature Enforcement, since I consider "Secure Boot" to be a promise that cannot really be delivered, as well as false advertisement, but in that case I am talking about the name and not the mechanism, because, as with any part of security matters, the best you can ever hope to do is mitigate rather that promise/imply an absolute).

What I am saying, however, is that Microsoft's unchallenged stewardship of the Secure Boot signing process has been disastrous, since Microsoft has been abusing and continues to abuse the power that was granted to them by the UEFI Forum (and I'm not talking only about their no GPLv3 Secure Boot signing stance - their T&C on who can download and redistribute UEFI DBX are also clear unwarranted abuse of power). We're not even really talking about BlackLotus remediation here, since default Secure Boot, on its own, should have been enough to filter out BlackLotus vulnerable bootloaders... had Microsoft not decided that they should have free reign with what they sign and apparently decided to release a new signed Windows UEFI bootloader every other week which, very expectedly, came to bite them right in the ass the entirely foreseeable day where it was discovered that all these bootloaders that were released prior to a certain date were vulnerable and needed to be revoked. Or maybe this is an illustration of abuse of power because, when you are a diligent steward, and you know that there (might) exist a ceiling to the number of bootloaders that can be revoked through the standard revocation mechanism of Secure Boot, you either limit the number of bootloaders you release, or you work with the UEFI Forum to expand on the revocation mechanism (and avoid everybody and their grandma to come up with their own version of SBAT, even if I have to concede that Microsoft's last entry here, that (ab)uses the DBX, has to be the one I prefer... though of course the only reason Microsoft are able to do that is because they are the only ones assured to have a KEK certificate that lets them update the DBX).

So, to reiterate my stance: I am 100% for Secure Boot (even if it's a misnomer). I'd like nothing more than everybody to use Secure Boot. But I am 100% against the signing process (and DBX update process) being in the hands of one entity who has demonstrated time and again, that they should not be left in control of it...

Also the requirement for physical access does not diminish the vulnerability. Else, you might as well say that having a lock screen on your phone is pointless, since it's "merely" a protection against physical access, and exploitation that requires physical access is not that dramatic (which I am interpreting as one of your argument).

Well to quote several lines of FAQ that i read:
"First, you might want to realise that a name is just that, a name, and that it's not because someone slaps a big "Secure" sticker onto a product or software, that it suddenly makes it any more secure."

"So, I must first stress out that, instead of being paranoid about it, you should come to terms with the fact that YOU are actually being manipulated with the terminology that Microsoft (and others) decided to use when they introduced Secure Boot because it was deliberately chosen to convey something that it cannot really deliver (See for instance the fiasco of Microsoft's Golden Key). Instead, Secure Boot should more accurately have been called Bootloader Signature Enforcement because that is really what (and only what) it does"

That's what i interpret as "overrated". No further discussion wished given that:
in short unless user's working with a factory-setting device with no intention of tampering or third-party modification, Secure Boot is best left on. Even then after using Rufus and setting the OS used in place it can be turned on if intended.
in short again: If want to use Rufus or dual boot or something, if it doesn't work, turn off Secure Boot if it doesn't work. If it already works, turn it back on whenever possible. It's all in the users discretion.

@pbatard
Copy link
Owner

pbatard commented Sep 21, 2024

Yes, I did explain above that, similarly to what I state in the FAQ, for one thing, the term "Secure Boot" is a manipulative misnomer and, as you appear to agree, one should not be afraid to temporarily disable Secure Boot if they have to (while following basic safety rules when doing so). That should not however be in any way construed as me stating that "Secure Boot is overrated", and I'm afraid that if you or someone else implies that I am saying the opposite of what I am actually saying, I am left with no choice but to strongly dispute that statement. Otherwise, if left undisputed, people may come to see it as tacit agreement.

In short, I have no problem if you or somebody else want to summarize the FAQ content on the subject as a statement that the terminology is manipulative or that the entity in control of the signing process has not proven worthy of such power. I do have a problem however if the FAQ content is being reduced to a blanket statement that is very misleading at best, especially if, as opposed to the FAQ, it doesn't make the distinction between the terminology and the technology.

@pbatard
Copy link
Owner

pbatard commented Sep 30, 2024

Just going to make a note that the new Windows UEFI CA 2023 signed Windows UEFI bootloaders can be found in \Windows\Boot\EFI_EX\ (as bootmgfw_EX.efi — I guess the KB5025885 registry trick simply picks anything _EX from this directory and removes the suffix when it installs the new bootloaders).

Sadly, Microsoft has still not reinstated bootmgfw.efi downloads from the symbol servers, even for the newly signed ones, which makes it difficult for Rufus to create bootable media that can work on systems that have gone though KB5025885 (though of course, even if we could replace the ISO bootloaders, we'd still be stuck after the WIM apply phase, as we'd reboot into old Microsoft Windows Production PCA 2011 signed bootloaders and get a Security Violation).

@Meyers07
Copy link

Meyers07 commented Oct 1, 2024

Just going to make a note that the new Windows UEFI CA 2023 signed Windows UEFI bootloaders can be found in \Windows\Boot\EFI_EX\ (as bootmgfw_EX.efi — I guess the KB5025885 registry trick simply picks anything _EX from this directory and removes the suffix when it installs the new bootloaders).

Sadly, Microsoft has still not reinstated bootmgfw.efi downloads from the symbol servers, even for the newly signed ones, which makes it difficult for Rufus to create bootable media that can work on systems that have gone though KB5025885 (though of course, even if we could replace the ISO bootloaders, we'd still be stuck after the WIM apply phase, as we'd reboot into old Microsoft Windows Production PCA 2011 signed bootloaders and get a Security Violation).

If you or somebody else (especially Linux system builder) could manage to apply the new signature/CA, that will be a good step toward keeping to use Rufus or non Ubuntu Linux in a secure boot environment. Only time will tell though as the clean ISO of 24H2 got released in the end of 2024/beginning of 2025.

@pbatard
Copy link
Owner

pbatard commented Oct 1, 2024

Only time will tell though as the clean ISO of 24H2 got released in the end of 2024/beginning of 2025.

This ISO has just been released to the general public today. And its bootloader is still signed using Microsoft Windows Production PCA 2011.

If you or somebody else (especially Linux system builder) could manage to apply the new signature/CA (...)

Well, of interest to us is that this ISO contains the \Windows\Boot\EFI_EX\ directories and the Windows UEFI CA 2023 signed bootloader in the sources\boot.wim and sources\install.wim image, so I guess that theoretically, Rufus could pick the updated bootloaders from there.

The BIG issue however, which is what I alluded to above, is that while replacing the \EFI\Boot\boot###.efi bootloaders on the media would be rather easy and would indeed allow booting to setup on a system where the Microsoft Windows Production PCA 2011 revocation has been enacted, you would still run into a Security Violation after setup has applied the image and reboots into the 2nd stage installer, because setup does not install the EFI bootloaders from the media, but instead it uses the ones from either boot.wim or install.wim, and will therefore pick the 2011 signed bootloaders.

And even if Rufus were to do something like modify the boot.wim image or install.wim image (to move all _EX content as prime content, so setup uses them when it installs the bootloaders on the target system), the minute the newly installed Windows receives a bootloader update, it would revert to the 2011-signed bootloaders unless we also apply the registry settings from KB5025885. In short, making sure that a Windows installation media works in the 2011-revoked environment would require some rather comprehensive involvement from Rufus (and massive wait times for the user if the bootloaders that setup installs come from install.wim rather than boot.wim, as mounting/modifying/unmouting a 5 GB image is a rather taxing operation).

That's not to say I'm not going to explore the possibility of doing something like this in Rufus. But it's unlikely to happen soon, and there are many factors that could make it a nonstarter...

@Wack0
Copy link

Wack0 commented Oct 1, 2024

mounting/modifying/unmouting a 5 GB image is a rather taxing operation

there's always wimlib, which is faster (no need to mount to extract from or modify files in a wim)

@pbatard
Copy link
Owner

pbatard commented Oct 2, 2024

Last time I checked, wimlib was pretty heavy for an executable that is very size conscious... For this reason, when a native Windows API exists, I always try to use the native API in Rufus.

At any rate, speed/perf optimization will have to come way after I check if it even makes sense to go all the way in on the 2011 cert revocation, as this is going to be a transient problem that will naturally solve itself anyway sometime in 2026 (or, hopefully, earlier), when Microsoft is no longer able to sign anything with their expired cert...

pbatard added a commit to pbatard/rufus-web that referenced this issue Oct 4, 2024
* This allows Rufus to perform SVN revocation checks on Windows UEFI bootloader per:
  pbatard/rufus#2244 (comment)
pbatard added a commit that referenced this issue Oct 5, 2024
* See #2244 (comment)
* Note that we don't use the GUID but the resource name for bootmgr.efi, as trying to figure
  out where the heck the relevant GUID is located in the PE code is not worth the effort.
* Also add internal fallback for sbat_level.txt if the user can't access our remote version.
* Also improve PE section lookup.
@pbatard
Copy link
Owner

pbatard commented Oct 5, 2024

Just going to point out that, thanks to @Wack0's excellent documentation of the new SVN feature in #2244 (comment), the next version of Rufus will perform Windows EFI bootmgr SVN validation and alert users in case Microsoft has revoked their bootloaders through an SVN DBX update.

Note that, since this is SBAT in disguise (and I actually wish SBAT followed suit with using GUIDs in DBX for SBAT, which I have to agree is the much better way to do blanket revocations), and since I already added SBAT revocation validation through an sbat_level.txt file I now maintain at https://rufus.ie/sbat_level.txt, I didn't bother dealing with the GUID themselves, but instead I'm (ab)using the SBAT product name to look for the specific Microsoft resource that contains the SVN in the bootloader. And yeah, cdboot and wdsmgfw can go to hell, since they don't use a resource, which is already a major pain to access, but I don't think I'll ever need to bother about those in Rufus.

Once again, major props to @Wack0 for providing the in-depth data I needed to add this feature.

@pbatard
Copy link
Owner

pbatard commented Oct 8, 2024

Sooooo, as I alluded to above, I'm currently experimenting with trying to create Windows installation media in Rufus that can work on systems where Microsoft Windows Production PCA 2011 has been revoked and only Windows UEFI CA 2023 is available.

The good news is I can get both the initial (USB) bootloader and the target disk (HDD/SDD) bootloaders to use Windows UEFI CA 2023 bootloaders.

The bad news is that, somehow the 2023-signed bootloader that the first stage installer installs onto the target disk is one that has an SVN of 0x20000, whereas the July DBX SVN update requires an SVN of 0x30000. Which leads us to the nice following screen when trying to reboot into the second stage installer:

svn_error

Security Error: Secure boot version check failed.
Your system security may be compromised!

Current version 2.0 - Minimum allowed version: 3.0
visit https://aka.ms/secure-boot-version-violation for more information.

Your system will shutdown in 10 seconds.

I guess the silver lining is that we finally know what the Microsoft SVN violation screen actually looks like.

And indeed, looking at the bootx64.efi that was installed, and checking its SVN (through Rufus' new SVN validation method), we do get 0x20000 for that bootloader... Unsurprisingly we also find that it was signed on 2024.03.29, i.e. way before Microsoft bumped the SVN.

So, first of all, the obligatory "WTF are you doing Microsoft? I know you wanna freeze stuff early for RTM, but when there's a bootloader vulnerability, that you have patched at least 2 months before GA, shouldn't you have used that timeframe to update the frigging bootloaders?"

And second, I find that I currently have no idea where the bootloaders Windows setup installs to the target partition come from when Windows UEFI CA 2023 is enabled. I thought they would come from boot.wim's Windows\Boot\ but the EFI\ bootmgfw.efi version there is signed with the 2011 creds, and the EFI_EX\ version has an SVN of 0x30000 so it's neither of those. And the same is true for install.wim...

So it looks to me like, when the installer detects that the media was booted through a Windows UEFI CA 2023 signed bootloader (or when it detects that Microsoft Windows Production PCA 2011 has been revoked) it does do the right thing of trying to install Windows UEFI CA 2023 bootloaders on its own. But where the heck it picks these bootloaders, if not from Windows\Boot\, I haven't got the foggiest clue right now, and without that data, I can't update Rufus to create proper Windows UEFI CA 2023 compatible installation media...

PS: Oh and in typical Microsoft fashion, the https://aka.ms/secure-boot-version-violation URL, that is referenced in the error screen, does not currently work...
PPS: For reference, the 2024.03.09 signed bootx64.efi bootloader that the first stage setup installs has a size of 2,756,232 bytes and an SHA-256 of 832f68ef8935a232e4f152f49a1310687b45c7903701819ad4a9776ea6443bb2.

@Wack0
Copy link

Wack0 commented Oct 8, 2024

I guess the silver lining is that we finally know what the Microsoft SVN violation screen actually looks like.
PS: Oh and in typical Microsoft fashion, the https://aka.ms/secure-boot-version-violation URL, that is referenced in the error screen, does not currently work...

I knew for months what it should look like, as I reversed this code. I assume that the URL will eventually work, probably closer to the enforcement phase, whenever that will be. nice to see a screenshot though.

And second, I find that I currently have no idea where the bootloaders Windows setup installs to the target partition come from when Windows UEFI CA 2023 is enabled

It should come from windows\boot of whatever install.wim index got installed (different indexes can have different versions). Setup DLLs call bootsvc!BfsServiceBootFilesEx passing %installdrive%:\windows\boot as first arg, bcdboot.exe also has its own copy of the same code.

@wogwaeb
Copy link

wogwaeb commented Oct 8, 2024

Windows Setup detects 26100.1 Windows UEFI CA 2023 and applies bootmgfw_EX.efi.

I remmber the error message and find at hard disk additonal files
$Windows.~BT\Sources\Boot\EFI_EX\bootmgfw_EX.efi.
$Windows.~BT\Sources\SafeOS\winre.wim|\Windows\Boot\EFI_EX\bootmgfw_EX.efi.

And at the USB stick there is
\sources\install.wim[N]\windows\system32\Recovery\Winre.wim
Setup extract winre.wim from install.wim, copy winre.wim to the hard disk, extract bootmgfw_EX.efi, and copy bootmgfw.efi.

Well, is this a temporarily error only?
Are there new *.ISO files, if Windows UEFI CA 2023 is enabled in the future?

Editing all install.wim[N]winre.wim does work, adding a current bootmgfw_EX.efi.
This takes resources and time to build. Both install.wim and inucluded winre.wim contains SVN 3.0 at local fixed install.wim
26100.1 and 26100.1742 installation does finish at a Windows UEFI CA 2023 machine today.

However imagine a SVN 4.0 update in the future.
Update EFI\Boot\bootx64.efi to SVN 4.0 then. Start a new installation.
Next the today fixed install.wim will fail, security boot errror 4.0.

What to do in future? Some random ideas:
Does the manufacturer offers a SVN4.0 then? Download the new ISO and build a new USB boot media?
Edit the install.wim\windows\boot[N]winre.wim\windows\boot, include a SVN4.0 bootmgfw_EX.efi?
Create a unattended approach, upgrade UEFI Partition, copy \EFI\Boot\bootx64.efi from the just booted media?
However this is may get unexpected errors, imagine two hard disks with UEFI Partitions

There is a UEFI CA 2023 copy file list as for Windows PE for the Windows ADK.
However language files are not part of this list, it's a for Windows ADK.
https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/winpe-create-usb-bootable-drive?view=windows-11

Thanks for the bootmgrsecurityversionnumber resource hint.
Resource Hacker list this number.

A boot*.efi security version number SVN view at Rufus would be nice to have.

@Wack0
Copy link

Wack0 commented Oct 8, 2024

What to do in future?

All updates would need to be applied to the install.wim, including WinRE "Windows Safe OS Dynamic Update", using dism/etc.

@pbatard
Copy link
Owner

pbatard commented Oct 8, 2024

@wogwaeb, thanks for the info.

And at the USB stick there is \sources\install.wim[N]\windows\system32\Recovery\Winre.wim

Yup, that's the one. Boot\EFI_EX\bootmgfw_EX.efi has the same SHA-256.

Meaning that direct patching the install media in Rufus for 2011 revocation is a non-starter because, even if patching a single indexed image was acceptable in terms of speed, doing it sequentially for 11 indexes is not going to fly (since, AFAIK, the Windows APIs do not offer the option to update all indexes at once). Besides, since MS forgot to update the EFI_EX/ file from Winre.wim, it would become very brittle hoping that the source we replace them with, which has to come from outside Wimre.wim, is always going to be the better choice.

However imagine a SVN 4.0 update in the future.
Update EFI\Boot\bootx64.efi to SVN 4.0 then. Start a new installation.
Next the today fixed install.wim will fail, security boot errror 4.0.

Which is pretty much what we have today, because it all boils down to revocation (the source of the revocation, be it DBX, SBAT, SVN being completely irrelevant) and you simply cannot install Windows from scratch, by simply extracting the official Windows 11 24H2 ISO content to a drive (as one would expect to be able to do), on a system that has been properly updated for all known (and fixed) Secure Boot vulnerabilities that have been officially revoked, and that has Secure Boot enabled. And indeed, if an existing installation media contains vulnerable bootloaders, it should fail through whatever revocation is most appropriate (and users should complain to the OS manufacturer to release an installation source that uses updated bootloaders).

So, yeah, when vulnerabilities are addressed and bootloaders get revoked, then installation media created from source data that was released prior to a fix should fail. What's not acceptable however is having an OS manufacturer, that has had updated bootloaders, and that knows that a fully up to date system will prevent vulnerable old bootloaders to boot though revocation, not releasing an installation media that uses these fixed bootloaders (even if they have to release 2 versions of the OS, with one for people who have applied the revocations, and one for those who haven't).

Sadly, Microsoft are far from being alone here, with, for instance, the current CentOS Stream 9 producing a Security Violation on account of up to date SBAT revocation, because they still haven't updated their 2023 image even after being aware of the bootloaders they use being vulnerable and are being revoked.

Create a unattended approach, upgrade UEFI Partition, copy \EFI\Boot\bootx64.efi from the just booted media?

Which is going to be a pain, because there's a bunch of corollary files that Microsoft adds to the ESP (localization and stuff), and that might require updating too in case the updated bootloaders need 'em. And I'm not sure we don't also need to update the target system's Windows\Boot\EFI(_EX)\ directories in case the user runs commands that reinstalls the bootloaders (which they should be able to to without breaking their system) in case the 2011-signed content is being picked from EFI\ (and this content is protected even for Admin, so you need to go through ACL to take ownership first). And yeah, working with the actual target ESP is likely to be a pain, but in my view not because we might need to take care of systems with multiple ESPs, but because, as a general rule, Windows makes it incredibly painful to work with ESP content and I'm also not sure we'll be able to get away with doing this in the offlineServicing pass, which seems to be the only pass that'd be suitable...

A boot*.efi security version number SVN view at Rufus would be nice to have.

I'll consider it, but it may only be produced with a non-default verbose option, as, to be fair with that feature, we'll also want to report the SBAT levels we detect from shim and grub bootloaders, and, as long as we do report revocation, this kind of information will be of limited use to the vast majority of users...

pbatard added a commit that referenced this issue Oct 8, 2024
… 24H2 _EX versions

* This aims at creating installation media that is compatible with systems where
  'Microsoft Windows Production PCA 2011' has been revoked.
* Doesn't work, since the bootloaders being applied by the first stage installer come
  from \sources\install.wim[#]\windows\system32\Recovery\Winre.wim[#]\Windows\Boot\
  (instead of \sources\boot.wim[#]\Windows\Boot\ as one would naturally expect) and
  Microsoft botched the ones they included there by using completely vulnerable (and
  therefore revoked) ones.
  See #2244 (comment).
* Still, I sure haven't gone through this excruciating ACL bullshit for nothing, so
  you get an experimental option, behind the expert mode curtain.
@pbatard
Copy link
Owner

pbatard commented Oct 9, 2024

I'll just add that Microsoft were just so close to do things right if they hadn't botched the bootloader files they included in Winre.wim:

From first stage C:\$Windows.~BT\Sources\Panther\setupact.log:

2024-10-08 16:14:22, Info                  SP     >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2024-10-08 16:14:22, Info                  SP         SideLoadHandler: Side-loaded C:\$Windows.~BT\Sources\bootsvc.dll (DLL name bootsvc.dll).
2024-10-08 16:14:22, Info                  SP         CUpdateBootCode::DoExecute: Disk is not encrypted or bitlocker is already suspended
2024-10-08 16:14:22, Info                  SP         BFSVC: ServiceBootFiles MuiOnly:n Res:y Fonts:y BootMgrOvw:n BootStatOvw:n DbgTrn:y SuspendBDE:n Offline:n
2024-10-08 16:14:22, Info                  SP         BFSVC: Using files signed with 2023 cert, because 2011 PCA is revoked
2024-10-08 16:14:22, Info                  SP         BFSVC: Using source OS version a000065f40001
2024-10-08 16:14:22, Info                  SP         BFSVC: Unable to open file \\?\GLOBALROOT\Device\HarddiskVolume7\EFI\Microsoft\Boot\bootmgfw.efi for read because the file or path does not exist
2024-10-08 16:14:22, Info                  SP         BFSVC: Copying boot files CopyBootManager(Yes) C:\$WINDOWS.~BT\Sources\Boot\EFI -> \\?\GLOBALROOT\Device\HarddiskVolume7\EFI\Microsoft\Boot 
(...)

So, per BFSVC: Using files signed with 2023 cert, because 2011 PCA is revoked Microsoft did design the 24H2 bootloader installation process to detect if the 2011 cert was revoked and switch to the the 2023 signed files... only to completely undo this whole effort by embedding revoked versions of the 2023 signed files to the one place where it mattered.

@Wack0
Copy link

Wack0 commented Oct 9, 2024

I think the MS bug here is using the boot files from winre, rather than the ones from the install.wim image. I wonder if this is a side-effect of setting up the winre boot entry?

Anyway, the expected method of updating winre is this: https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/add-update-to-winre?view=windows-11

Unfortunately at least some of the safeos dynamic updates appear to not contain bootmgfw_ex, great job MS.

I wonder if just running bcdboot after setup would use the correct files?

@pbatard
Copy link
Owner

pbatard commented Oct 13, 2024

Just a quick note to mention that Rufus 4.6 BETA (as well as the release) will display SBAT/SVN info when USB Debug (Alt-.) is enabled.

You will therefore see something like (Win11_24H2_English_x64.iso):

UEFI Secure Boot revocation checks:
• /bootmgr.efi
  Signed by: Microsoft Windows Production PCA 2011
  SVN version: 3.0
• /efi/boot/bootx64.efi
  Signed by: Microsoft Windows Production PCA 2011
  SVN version: 3.0

or something like (ubuntu-24.10-desktop-amd64.iso):

UEFI Secure Boot revocation checks:
• /EFI/boot/bootx64.efi
  Signed by: Microsoft Corporation UEFI CA 2011
  SBAT: sbat,1
  SBAT: shim,4
  SBAT: shim.ubuntu,1
• /EFI/boot/grubx64.efi
  Signed by: Canonical Ltd. Secure Boot Signing (2022 v1)
  SBAT: sbat,1
  SBAT: grub,4
  SBAT: grub.ubuntu,2
  SBAT: grub.peimage,2
• /EFI/boot/mmx64.efi
  Signed by: Canonical Ltd. Secure Boot Signing (2022 v1)
  SBAT: sbat,1
  SBAT: shim,4
  SBAT: shim.ubuntu,1

Obviously, since this can produce a lot of extraneous output if there are a few bootloaders being checked, I don't want to have this info displayed outside of additional verbose logging. But it's there if you fancy it.

@pbatard
Copy link
Owner

pbatard commented Nov 19, 2024

Since this is tangent to what we are discussing here, I'll just mention Microsoft's introduction of Secured-core PCs that are required to have the 3rd Party UEFI Certificate to be disabled by default (which is also highlighted in this Lenovo Notice). Not entirely new, since that's what Microsoft have on their own devices, like Surface, but, even as Microsoft officially targets this at "financial, healthcare, and government agencies", it's bound to start to creep into regular userland...

No idea if these PCs also remove the PCA 2011 cert from the Secure Boot database by default, which they should also do if Microsoft doesn't want to come as two-faced in terms of their alleged championing of security in Secured-core PCs but my guess is that, if it isn't specified as an explicit requirement, then they probably don't...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests