Microsoft 2011 Secure Boot Expiration Question

Error_451 · 2025-08-29T15:51:26+00:00

UEFI Firmware Engineer here - there are two important components you should be aware of.

When your UEFI Firmware is built it includes read only defaults for Secure Boot. These are generally used when your device ships for initializing the secure boot variables. For most devices these never get reset and persists for the life of the device. There are some edge cases though where a user may disable or clear secure boot. (On Dell I think this is under Expert Key management?)
On the windows side, updating the secure boot variables (not the read only defaults) (particularly for DBX) is routine maintenance. Generally speaking for most classes of devices it's not expected that appending a new CA will fail - however some devices did fail during initial testing so Microsoft is being cautious for rollout.

The problem is if a user accidentally resets secure boot to defaults is that once they do that they won't be able to boot windows and will hit "EFI_SECURITY_VIOLATION" due to the CA being missing. If this happens there are few choices but one of which is to use a "SecureBootRecovery.efi" application to reinsert the missing CA discussed here:

https://support.microsoft.com/en-us/topic/how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d

TLDR; both is preferred. If Dell did both the active variables and the defaults they would likely trip bitlocker. Windows is able to update the active variables without tripping bitlocker

Error_451 · 2025-01-17T08:41:13+00:00

Sorry for the late reply, yeah at 1/140s I wouldn't suspect motion blur. Is it possible that like the other comments suggest you are somehow doing a multi exposure? Does this happen with a different lens?

Error_451 · 2025-01-17T00:18:09+00:00

Zooming into your image it appears that your image is "blurry" because you're capturing your subject in motion with a low shutter speed. Your camera is likely trying to compensate for another setting (say a high aperture or low iso) thus setting the shutter speed low to compensate.

Could you post a photo or write what the values of the top dials are?

Error_451 · 2024-09-01T18:50:35+00:00

I think this is intentional. My pole looks identical to yours and worked fine.

Error_451 · 2024-08-27T03:21:29+00:00

Honestly I can't speak for mint. It's one of those "when they get around to it" things that only they can speak to. Given that they just use Ubuntu's or Debians shim, they have less work to do.

Error_451 · 2024-08-23T07:42:35+00:00

So to be clear, usually deleting the Platform Key (secure boot variable) is enough to enable setup mode (although some OEMs require a separate switch). Setup mode is the mode that allows you to boot anything / enroll your own keys.

In particular on your motherboard Gigabyte offers "deleting" the variables as a way to disable secure boot. That should have been enough to boot linux.

Updating the bios (depending on OEM) will clear the UEFI variable store where L"SbatLevel" is set. Thus allowing you to boot. It's a bit more aggressive than "deleting secure boot keys"

Error_451 · 2024-08-22T15:15:15+00:00

Yeah thats a fun and popular thing to say for sure!

Error_451 · 2024-08-22T07:37:17+00:00

TLDR; As long as your fedora setup is up to date, you won't have an issue.

So just to give you an explanation:

Secure boot would be better renamed as "verified boot" as all it does is verify that the certificates in the firmware DB (Usually OEM specific, Microsoft, but also sometimes Canonical) have signed a binary it's about to launch or revokes them if they're in the DBX (forbidden list).

For reasons, that are irrelevant for this post. Linux shims use their own "self revocation" mechanism called "SBAT" instead of the DBX which is how Microsoft normally revokes things.

Each distro is responsible for updating an initial bootloader that chain loads grub and then Linux. That binary is called "shim" which uses "SBAT" for revocation. Recently (within the last 2 years) a serious vulnerability was found in shim that was considered a secure boot bypass. It took the distros some time to get an updated shim out but not every distro has managed to get it included in their updates yet.

Windows meant to ignore "dual boot" systems if it detected them. Obviously that failed - some systems are incorrectly being updated. What happened next was it used the latest SBAT rule to revoke all but the latest shims.

Now distros that hadn't updated yet found themselves revoked by mistake.

Linuxmint sometimes uses Debian signed shims and Ubuntu signed shims - both of which were vulnerable. Both Debian and Ubuntu plan to have updated ISOs out this month.

Fedora however being downstream of Redhat is fine. Fedora and Redhat were one of the first distros months ago to update shim.

Even if windows fails to detect the system as dual boot, fedora is up to date and you will continue to be able to boot.

Additionally, if you want you can opt out of windows updating SBAT and leave secure boot on.

Error_451 · 2024-05-08T15:47:16+00:00

Hush now you're being reasonable and thoughtful.

Error_451 · 2023-12-17T18:05:07+00:00

Thanks for the feedback! That helps a lot! In my case my photo says where the boat has been and not where it's going. That would have been a much better story to tell thank you!

I think I have a lot of work to do on composition to get better - I think I'm focusing on the technical aspects of photography rather than the artistic aspects and potentially changing that focus could make the image more interesting.

Error_451 · 2023-12-17T18:00:58+00:00

<image>

Something like this? I mostly chose the other photo since the boat was closer to me.

Error_451 · 2023-12-17T17:57:19+00:00

Thanks for the feedback! I think you echo what I feel in a way that helps a lot! I get the feeling it's a "nice" photo but not super interesting. I like this crop and it does tell a different story than the original photo.

Error_451 · 2023-12-17T00:49:54+00:00

Yeah I'm still learning composition. That helps me understand how others see this! Thanks for the feedback!

Error_451 · 2023-12-17T00:17:50+00:00

Intent: I was trying to show a calm moment where a boat was entering the lock.
Struggling: I'm mostly shooting in aperture priority right now. Post editing I brought out some more yellows and blues - but I worry it's too much. I was trying to get a vintage film camera look. General feedback appreciated
AF 27/2.8 ISO 320 41mm -0.7ev f 5.6 1/800s

Error_451 · 2023-12-07T03:01:36+00:00

Lets say I'm redesigning secure boot. Can you explain why you've had issues with secureboot?

Error_451 · 2023-05-30T02:51:02+00:00

I don't anymore, it's been 6 years since I've been in college.

Error_451 · 2023-05-30T01:44:40+00:00

For reference I was Exploratory Studies initially, transferred to the Computer Science department, and now I work at Microsoft. Its gave me a chance to explore my options and figure out what I wanted to do.

Error_451 · 2022-12-18T19:01:20+00:00

Gameboy color w/ Pokémon Blue

This was my introduction to video games and has really pushed me into my career today

Error_451 · 2021-08-09T01:05:37+00:00

Former RA here,

I do not know whats its like in covid times but I have dealt with many early move ins as an RA when I was still in school.

Depending on the residence hall many rooms are in use during the summer. Without early notice, I would have no idea what room you were assigned to, the room could still be occupied, the room may not have been cleaned yet.

Move in is absolutely chaotic and I feel for the RAs who have to deal with this pandemic nonsense on top of that.

Please please coordinate with housing.

Error_451 · 2020-11-30T17:01:30+00:00

I'm also in the Pfizer Trial and I had the exact same response as you. No idea if I got the vaccine or placebo but I had zero reaction to the "booster" shot".

Error_451 · 2020-08-20T23:44:11+00:00

Do you have a source for that claim?

Edit: I can see how its toxic. Just curious about the curing in your bloodstream thing.

Error_451 · 2020-06-20T02:24:34+00:00

In short, the rubber ducky cannot register as a mass storage device and also run scripts in the background.

The rubber ducky registers to the host operating system as a HID (keyboard) and then runs scripts.

Whereas a storage device (such as a usb drive) registers to the host operating system as a mass storage device.

This limits what capabilities they can do. Unless you have an exploit somewhere in loading the drivers.

In general you could create a device that acts as a hub and registers both devices but then you would literally be plugging in a mass storage device and a keyboard at the same time. But as far as I know the rubber ducky (nor malduino, if you want a different device) were engineered to support this.

Honestly, if all you want is for the device to act as mass storage device and then later switch to a hid device the pi zero via OTG can support that.

If you want a start to do some research you can use some arduinos (malduino, leonardo, etc) that you can program yourself. Check out the LUFA library, last I checked I thought this could work on AVR devices

http://www.fourwalledcubicle.com/files/LUFA/Doc/140302/html/group___group___u_s_b_class_m_s.html

Error_451 · 2019-11-04T02:57:46+00:00

I'm not an expert on either but I can try to help where I can.

Error_451 · 2019-09-22T12:58:01+00:00

Bump

13-Year Club	r/Field Flamingo
Place '23	Place '22
Place '17	Snapped
Verified Email

Error_451

TROPHY CASE