10 Mar
2023
10 Mar
'23
08:29
As I remember, that Microsoft used different keys to sign Windows bootloader and shim. In blacklotus's approach, after vulnerable windows bootloader writes blacklotus key to MOK. It used healthy MS-signed shim to replace vulnerable windows bootloader for loading blacklotus MOK to load blacklotus grub2. So the firmware must includes two Microsoft signkeys. A lot of machines meet this condition, except Microsoft surface. Because Microsoft only put the signkey of Windows bootloader in surface machine. So, less key is safer. Just remove one of Microsoft keys from db can prevent blacklotus. As long as your firmware allows to drop it.