TPM 2.0 Devices and remediation of CVE-2023-24932 (Black Lotus) UEFI / Secure Boot Vulnerability. - Help for those with "Known Issues"

garlin · Sunday at 10:25 PM

140 means Windows hasn't performed the pending UEFI changes. In theory a reboot (or two) should clear the value eventually to 0 (no pending changes).

NetMan304 · Wednesday at 2:07 PM

garlin said:
140 means Windows hasn't performed the pending UEFI changes. In theory a reboot (or two) should clear the value eventually to 0 (no pending changes).

Ok, I was having issues with the bios settings. Upon going into my bios and enabling "custom mode" I was able to get to a value of 0x100 via administrator CMD Prompt. Multiple Restarts via Shutdown /r /t 0 or manually (with min 10 min wait between just to make sure) made no difference, I was always hung up on 0x100.
I monitored event viewer in "Windows Logs" --> "System" and I keep seeing error 1797:

Code:

The Secure Boot update failed as the Windows UEFI CA 2023 certificate is not present in Db

This is what Microsoft says about this error in regards to these mitigations:

Code:

This event is logged during an attempt to add the Microsoft Windows Production PCA 2011 certificate to the UEFI Secure Boot Forbidden Signatures Database (DBX). Before adding this certificate to the DBX, a check is made to ensure that the Windows UEFI CA 2023 certificate has been added to the UEFI Secure Boot Signature Database (DB). If the Windows UEFI CA 2023 has not been added to the DB, Windows will intentionally fail the DBX update. This is done to ensure that the device trusts at least one of these two certificates, which ensures that the device will trust boot applications signed by Microsoft. When adding the Microsoft Windows Production PCA 2011 to the DBX, two checks are made to ensure the device continues to boot successfully: 1) ensure that Windows UEFI CA 2023 has been added to the DB, 2) Ensure that the default boot application is not signed by the Microsoft Windows Production PCA 2011 certificate.

This persistent error despite my best efforts has me coming back to this paragraph in microsoft's original guidance( how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932 ):

Code:

TPM 2.0-based systems:  These systems that run Windows Server 2012 and Windows Server 2012 R2 cannot deploy the mitigations released in the July 9, 2024 security update because of known compatibility issues with TPM measurements. The July 9, 2024 security updates will block mitigations #2 (boot manager) and #3 (DBX update) on affected systems.

Microsoft is aware of the issue and an update will be released in the future to unblock TPM 2.0-based systems.

To check your TPM version, right-click Start, click Run, and then type tpm.msc. On the bottom-right of the center pane under TPM Manufacturer Information, you should see a value for Specification Version.

Where do we go from here? It seems to me that MS and OEM's etc have intentionally blocked the mitigations due to the timing PCR banks of tpm 2.0 systems. well I did some digging...
I am Considering 3 options and would love the community's support with advice on security of these routes, feasability, practibility etc etc.
(This is a Rough draft and I'm open to any and all variations, please!

:

#1
I found a Git hub with guidance on how to manually apply the Keys via direct BIOS / UEFI Modification, (PK, DB, KEK, DBx) required for the “Windows UEFI CA 2023” certificate and Secure boot to work properly @
OpenCore-and-UEFI-Secure-Boot .

It involves other software but I believe the process would still apply with some tweaking. Yet without knowing or having any further guidance to hope to understand why TPM 2.0 systems are currently blocked from mitigations I am apprehensive to do such things and cause problems for my system.

#2
Make my own Custom PK and not have to bother with Microsoft / Dell / TPM specs Etc Etc to fix them for me. This is probably what I would prefer? (open to criticism and thoughts). Another guide on good ol' Git Hub link ....
SecureBootPolicyTools

#3
Upgrade to Win 11 MS Update says I am eligible but I don't think software will fix a hardware / firmware issue? Maybe I am wrong. I seem to remember seeing fixes for both win 10 and 11 everywhere I looked. Besides the Known issues section does not list "upgrade to win 11" for any solutions to ANY of the known issues...

#4
I thought I had 4 but I can't remember it now,

Thanks again!

garlin · Wednesday at 2:17 PM

Re-run the PowerScript script to confirm UEFI CA 2023 wasn't installed. If MS has blocked your BIOS from updates, it's probably for a good reason instead of manually installing the new DB certificate. If this PC (or motherboard) was from a name-brand company, contact their support and find out if there's something going with this model.

NetMan304 · Wednesday at 3:25 PM

garlin said:
Re-run the PowerScript script to confirm UEFI CA 2023 wasn't installed. If MS has blocked your BIOS from updates, it's probably for a good reason instead of manually installing the new DB certificate. If this PC (or motherboard) was from a name-brand company, contact their support and find out if there's something going with this model.

Code:

Secure Boot: ENABLED

UEFI DB Certificates
--------------------
        Microsoft Corporation UEFI CA 2011
        Microsoft Windows Production PCA 2011

UEFI DBX Certificates
---------------------
        Microsoft Windows PCA 2010

I Have a Machine by Dell. My experience with them is they try to upsell you to 85$ support services if you are over 1 yr old. (im at 5) I will call them tomorrow though and see what I can dig up.

TPM 2.0 Devices and remediation of CVE-2023-24932 (Black Lotus) UEFI / Secure Boot Vulnerability. - Help for those with "Known Issues"

garlin

Well-known member

My Computer

System One

NetMan304

Member

My Computer

System One

garlin

Well-known member

My Computer

System One

NetMan304

Member

My Computer

System One

Similar threads

Latest Support Threads

Latest Tutorials