UEFI Restricted Boot No Longer Valid for Security, Keys Leaked

Dr. Roy Schestowitz

2013-04-07 19:30:26 UTC
Modified: 2013-04-07 20:01:45 UTC

As much about security as multimedia DRM

Drip

Summary: Antitrust offences with UEFI restricted boot can no longer be defended as an act of enhancing security because keys are leaking

A Fedora developer was the first to embrace Microsoft's restricted boot, so Fedora was usually ahead of the curve when it comes to it and it shows.

Torvalds criticised Red Hat for complicity with Microsoft [1, 2] after he had slammed restricted boot as something that would not improve security. He was right. Keys were inevitably leaked, leaving UEFI restricted boot (which former Novell/SUSE developers too helped promote) in a position where it is only an antitrust issue and nothing to do with computer security, just protectionism. As one new article puts it, the "Linux Lawsuit Shines Uncomfortable Light on UEFI Standard" and a Restricted Boot proponent leads with this news about UEFI signing keys getting leaked:

A hardware vendor apparently had a copy of an AMI private key on a public FTP site. This is concerning, but it's not immediately obvious how dangerous this is for a few reasons. The first is that this is apparently the firmware signing key, not any of the Secure Boot keys. That means it can't be used to sign a UEFI executable or bootloader, so can't be used to sidestep Secure Boot directly. The second is that it's AMI's key, not a board vendor - we don't (yet) know if this key is used to sign any actual shipping firmware images, or whether it's effectively a reference key. And, thirdly, the code apparently dates from early 2012 - even if it was an actual signing key, it may have been replaced before any firmware based on this code shipped.

But there's still the worst case scenario that this key is used to sign most (or all) AMI-based vendor firmware. Can this be used to subvert Secure Boot? Plausibly. The attack would involve producing a new, signed firmware image with Secure Boot either disabled or with an additional key installed, and then to reflash that firmware. Firmware images are very board-specific, so unless you're engaging in a very targeted attack you either need a large repository of firmware for every board you want to attack, or you need to perform in-place modification.

Now we know that UEFI restrictions had nothing to do with security and eventually became just a competition barrier. Rather than cracking we are seeing leaking as the end of UEFI restricted boot's (or 'secure' boot's) reputation. ⬆

Links 16/03/2026: Moscow Experiencing Cellphone Internet Outages, "Salman Rushdie Is Tired of Talking About Free Speech": Links for the day
Debian is Dying for Some of the Same Reasons IBM's Fedora is Rapidly Dying: Prioritising CoC censorship, not communities
2026 Microsoft Layoff Rumours: Surely if we had properly-functioning media, then someone would investigate this rather than rely on official statements from Microsoft and WARN notices
Microsofters' SLAPP Censorship - Part 13 Out of 200: Abuse of Process to Make False Accusations of UKGDPR Violations: familiar barrister and same lawyers
Today's Discussions About How IBM Pushes Workers Out: The corporate media keeps trying - baselessly and in vain - to paint everything that happens with the "hey hi" brush
Linux Teck (linuxteck.com) and Ubuntu PIT (ubuntupit.com) Are Botspam: now they just keep experimenting by trashing their sites and reputation
Links 16/03/2026: Arctic Security and 'Mr. Nobody Against Putin': Links for the day
Gemini Links 16/03/2026: KN95 Skins and CSS Surprises: Links for the day
The Register MS is Again Femmewashing GAFAM (Which Makes Widows) in Exchange for Money: This is a moral issue because they betray or harm women and prop up authoritarian regimes
Gemini Links 16/03/2026: AB 1043, Lagrange Android Beta 47, and Poetry: Links for the day
"Slop-forking" or "Vibe-forking" as the New 'Noble' Plagiarism: New Cloudflare Slop Project?
EPO "Cocaine Communication Manager" - Part VII - Cult Mentality, Mobbing, Nepotism: Does the EPO actually believe in the law?
EPO Strike This Week: contact your national representatives about it
Gemini Links 15/03/2026: "Create Opportunities for Good Things to Happen", DOSbook, and Bitcoin Criticism: Links for the day
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Sunday, March 15, 2026: IRC logs for Sunday, March 15, 2026
Pirate Praveen Arimbrathodiyil & Debian denouncing volunteers, hiding romances: Reprinted with permission from Daniel Pocock
Links 15/03/2026: WB Games Montréal Undergoes Layoffs, "Swiss Reject Cuts to Public Broadcasting": Links for the day
Gemini Links 15/03/2026: Messages in Bottles and Audio Streaming in Lagrange for Android: Links for the day
Thrown Under the Microsoft Bus: Microsoft wants disposable contractors
Quitting IBM and "Rumors of an Upcoming RA [Mass Layoffs] in April 2026": Blue layoffs or "RAs" were confirmed upfront by the CFO
GNU/Linux Distro Builders Barely Paid Enough to Pay Basic Bills, Chief of "Linux" Foundation (Not Even Using Linux!) Increases His Own Salary by Over 50% in 5 Years: Salaries or compensation correlate with the ability to exploit people, not to create things
What Puts the Brakes on GNU/Linux Adoption on Laptops and Desktops is Monopoly Control (or Monoculture) Over the Distros: Distros that adopt systemd are controlled by IBM and GAFAM
The "Zero-Sum" Fallacy: Fallacies like "zero-sum" - especially in the context of foreign affairs including war - are utterly ruinous
A Happy Birthday to Richard Stallman: Richard Stallman will turn 73
Jürgen Habermas is Dead, But the Politicised, Inherently Corrupt, Corporatised Court for Patents That He Inspired Is Not: In the news throughout the weekend
Mountains of Abuses of Process by Brett Wilson LLP on Behalf of Americans and Sometimes at the Expense of British Taxpayers: a virtual "limited liability"
linuxteck.com FUD by LLM Slop, ubuntupit.com Passes the Slop Baton: Unless they get back to doing long-form authentic articles, as opposed to slop, no good will come out of it
Links 15/03/2026: New Shortages, Lynx Populations Depletion: Links for the day
Sruthi Chandran & Debian Diversity, Favoritism, Hidden Conflicts of Interest: Reprinted with permission from Daniel Pocock
software in the public domain: Reprinted with permission from Alex Oliva
Links 15/03/2026: Slop "Bubble Driving Interest in Chip Alternatives" and Wildlife Erosion Reported: Links for the day
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Saturday, March 14, 2026: IRC logs for Saturday, March 14, 2026
Layoffs in Twitter, Facebook, and Microsoft's LinkedIn: There are silent layoffs at Microsoft this month
We Don't Depend on Google and Don't Care for Google: We have our own site search and we don't depend on Google to bring visits/visitors to us
Change of Address at the Hired Guns, Address Removed: Companies tend to alter their 'shell structure' in anticipation of major action
Facebook Layoffs Due to Enormous Debt, Nothing to Do With "Hey Hi" Slop: The lies about "hey hi" in relation to layoffs will only contribute to further public resentment towards: 1) the media and 2) all the slop.
The Good IBM Managers Have Flown Away, All That's Left is the Book-Cooking Loyalists: IBM is just cheating the SEC and shareholders. This seems to be the only thing IBM's management is nowadays good at.
Microsofters' SLAPP Censorship - Part 12 Out of 200: Months Ahead of Serial Strangler From Microsoft Who Helped Double the Lawsuits (Funded by Third Parties) as 'Revenge' for Exposing Crimes: In 2024 I sat down and wrote about what had been done to me and to my wife
Crime Comes in Many Forms: apparently the SRA is OK with stranglers of women in America bullying the media in the UK
commandlinux.com, linuxteck.com, linuxiac.com, and linuxsecurity.com are Slopfarms With "Linux" in Their Domain Name: once readers realise they read slop they immediately lose interest
Links 14/03/2026: Adoption of Slop Has Killed BuzzFeed, Russia Sees "Economic Gain From Iran War": Links for the day
Patriotism is Conditional, If It's Unconditional, Then It's Like a Cult: My love for Software Freedom is only as strong as my love for Freedom of the Press
Links 14/03/2026: Mass Layoffs at Facebook ('Meta') and Sweeping Layoffs at Twitter (xAI), Social Control Media and Slop Are Only Debt: Links for the day
Wrong Time, Wrong Place (Digg): Kevin Rose and Alexis Ohanian can relaunch Digg.com, but we doubt it'll work "this time for real!"
Universities Became Bad Places for Work: What happened to academia?
Reporting New and Suppressed Information is What Journalism is All About: In the domain of Free software, there are very few sites out there that offer exclusive coverage on community affairs and there are many gagging/censorship attempts
The Limits of Speech and the Rationale of Limitations: it seems to be part of an international trend
Over at Tux Machines...: GNU/Linux news for the past day
IRC Proceedings: Friday, March 13, 2026: IRC logs for Friday, March 13, 2026
Gemini Links 14/03/2026: Goodness, AD534 Multiplier Module, and Extroverts Online: Links for the day

UEFI Restricted Boot No Longer Valid for Security, Keys Leaked

Recent Techrights' Posts