←back to thread

Intel OEM Private Key Leak: A Blow to UEFI Secure Boot Security

(securityonline.info)
658 points transpute | 6 comments | 06 May 23 17:39 UTC | HN request time: 0.001s | source | bottom
Show context
thathndude ◴[06 May 23 18:46 UTC] No.35844191[source]
This was always a dumb idea. No different than a “master” TSA key. All it does is create a single point of failure.
replies(5): >>35844335 #>>35844411 #>>35844581 #>>35845052 #>>35845754 #
rvba ◴[06 May 23 20:22 UTC] No.35845052[source]
It was a genius idea - you cannot install Windows 11 on an old computer. So you need to buy a new one.

Monopoly practice hidden as security.

replies(2): >>35845255 #>>35846509 #
1. tredre3 ◴[06 May 23 20:51 UTC] No.35845255[source]
This has nothing to do with TFA, you're thinking of the TPM2.0 which is unrelated to secure boot.

Secure Boot is part of UEFI. TPM2.0 is used only by bitlocker (at least for the average person, enterprises do store other keys in it).

replies(3): >>35846471 #>>35847307 #>>35847332 #
2. mixmastamyk ◴[06 May 23 23:47 UTC] No.35846471[source]
Oh, should I disable TPM2?
replies(1): >>35847271 #
3. SturgeonsLaw ◴[07 May 23 02:17 UTC] No.35847271[source]
The TPM2 spec allows it to do much more than just hold private keys, it can act as a device identifier for attestation. If that's something you care about, then you might want to disable it.

The fact that Windows 11 won't work without a TPM is a bonus.

replies(1): >>35854988 #
4. Hawxy ◴[07 May 23 02:25 UTC] No.35847307[source]
> TPM2.0 is used only by bitlocker

This isn't true at all, Windows Hello uses it as a secure credentials store.

5. Dalewyn ◴[07 May 23 02:30 UTC] No.35847332[source]
Windows 11's system requirements include both SecureBoot and TPM2, so yes it is in fact relevant.
6. mixmastamyk ◴[07 May 23 19:51 UTC] No.35854988{3}[source]
Guess I'm only worried about it being used against me. Don't know enough about any threats it might enable.