Did you manually update your Secure Boot Keys ?

Thank you @garlin. Very concise answer.

The following is probably as clear as mud, but I have always been of the understanding that Black Lotus could enter a device through the uefi if that device either did not use secure boot OR the revocations were not active in secure boot.. Once through, BL can do any and all kinds of things (depending on how a BL hacker designs his hack), including alter the bootloader or gain direct access to a users files. Basically anything he could do if he were sitting in from of the computer.

I did not read it that Black Lotus made any changes to the area of Uefi bios that is reserved for the revocations to be written that prevent the hacker from entering the system through secure boot. I did read that if infected by BL, and the bootloader was changed that the machine would not boot. The bootloader is on the drive, not anywhere in bios. I saw nothing in the NSA advisory that indicated once a machine was infected by BL, that the machine would have to be replaced, only that the bootloader could be changed and the data on the machine could be compromised.

As for as the revocations themselves, I DID read that once they were written to this special reserved area of uefi bios, they were there forever and would come into play once secure boot was turned on for that device.

If any, all, or none of my understanding is correct, can you explain (in small words) how this would necessitate either replacing the mobo or the entire device if one gets this malware. I see it only that Windows would compromised and/or unbootable.

I may be completely wrong. I am quite often.

My understanding is you don't have to replace the PC, by revoking CA 2011. So in effect you're leaving BL inside the UEFI, but disabling its right to carry out actions since it doesn't own a valid cert any more.

I'm not an UEFI expert, but I think you don't really "erase" old content out of the UEFI but can supersede it with newer versions of the same, or install new files.

My main PC acquired the 2023 upgrade automatically - it hasn't been clean-installed since W10 days. It thus shows this

Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Windows UEFI CA 2023
Microsoft UEFI CA 2023

My other 3 W11 24H2 PCs did not have the 2023 upgrade, and all had been clean-installed to 24H2 over the last 9 months. I've now updated them following the instructions in the first post, but they now show this

Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Windows UEFI CA 2023

What is the "Microsoft UEFI CA 2023" and why does only one PC have it?

Windows Production is reserved for signing normal Windows boot files.

(Non-Windows) version is for MS provided EFI apps, and 3rd-party bootloaders. This allows 3rd-parties (ie. Linux) to piggyback on MS's work without having to negotiate with PC makers to install their own certificates.

Some UEFI BIOS updates from PC or motherboard makers may have added the certs themselves, since MS distributed them to their PC partners. The complete set of MS cert files have been released on GitHub, so Linux folks can use them.

Both of my clean install Win11 Pro in March show up the update as already done.

And how would one know if you were infected with Black Lotus-like malware?

cheaterslick said:

And how would one know if you were infected with Black Lotus-like malware?

Click to expand...

I suspect the short answer is... "you don't".

cheaterslick said:

And how would one know if you were infected with Black Lotus-like malware?

Click to expand...

One of the ESET versions can detect Black Lotus. Otherwise you're stuck trying to examine the EFI files for evidence of tampering.

Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign | Microsoft Security Blog
Redirecting

gunrunnerjohn said:

I suspect the short answer is... "you don't".

Click to expand...

Talk about something being out-of-sight, out-of-mind.

lol

so .. there is a security feature that was forced onto all systems 'secure boot' by Microsoft
to improve all and every systems security.

but .. secure boot can become infected with malware that is virtually undetectable unless you disable secure boot.

that brings into question is 'secure boot' secure or is it better security not to have secure boot.
Microsoft moves in mysteries ways.

best of luck, Steve ..

It's a difficult conundrum.

It's neither difficult nor a conundrum. If you don't have Secure Boot, worse things than this are possible. People can pick locks and kick in doors, but I still lock my doors at night.

Updated and confirmed using the commands above. Thanks.

pseymour said:

It's neither difficult nor a conundrum. If you don't have Secure Boot, worse things than this are possible. People can pick locks and kick in doors, but I still lock my doors at night.

Click to expand...

I certainly agree, I was just poking fun at the comment.

It's six months to Armageddon.

MS has known about this for years and years and only now is working on how to get average users through the process. The only thing they have is a guide that requires someone skilled and comfortable with reg hacks and somewhat risky commands to implement - highlighted by the "prepare a bootable recovery USB stick before doing this". FWIW, people in this forum are not average users.

IMO, this is a colossal cluster mistake. I'll be shocked if MS pulls this off without hundreds of thousands if not millions of very unhappy users with unbootable machines.

Levitate11 said:

It's six months to Armageddon.

MS has known about this for years and years and only now is working on how to get average users through the process. The only thing they have is a guide that requires someone skilled and comfortable with reg hacks and somewhat risky commands to implement - highlighted by the "prepare a bootable recovery USB stick before doing this". FWIW, people in this forum are not average users.

IMO, this is a colossal cluster mistake. I'll be shocked if MS pulls this off without hundreds of thousands if not millions of very unhappy users with unbootable machines.

Click to expand...

Repeating the point, this is the "opt in" phase for large companies and IT admins. Everyone else will be silently upgraded next year.

Now's the time for MS to identify all the weird "corner cases" and make the process as robust as possible. You can still turn off Secure Boot, and have your system work again.

As usual, @garlin says politely what I want to say impolitely.

pseymour said:

As usual, @garlin says politely what I want to say impolitely.

Click to expand...

No surprise.

garlin said:

Repeating the point, this is the "opt in" phase for large companies and IT admins. Everyone else will be silently upgraded next year.

Now's the time for MS to identify all the weird "corner cases" and make the process as robust as possible. You can still turn off Secure Boot, and have your system work again.

Click to expand...

My point is that MS has known this was an upcoming issue for a decade. Now, with a year left to go, they are finally working on it. Shameful, borderline negligent, and likely to result in many business and user difficulties.

While turning off secure boot is a possibility, I don't agree that that's a viable solution. My data security is just as important to me as a Corporation's is to it. In fact, the Corporation is much more likely to be able to absorb a hit than I am. On top of that, that average-user has no idea how to turn off Secure Boot - even if they knew they needed to do it.

MS should have gotten this rolling a long time ago.

I do have a specific question about this. I've been trying to find accurate hard-core information about after making the changes to UEFI and Secure Boot et al. has the process of creating installable media via USB for Windows 11 24H2 changed? That is using tools such as Rufus and/or Microsoft's Media Creation Tool (MCT).

Please post useful web links if relevant.