"Every Windows PC designed and built since 2011 supports a feature called Secure Boot. This feature, which is on by default on new PCs sold with Windows 10 and Windows 11, acts as a gatekeeper that allows only trusted software to run at startup. If someone tries to tamper with the operating system or boot from an alternate device, Secure Boot blocks that attempt."
"Secure Boot relies on a chain of cryptographic certificates that check each boot component to see whether it's properly signed. One of the most important certificates is the Key Exchange Key (KEK), which sits in the UEFI firmware and works with the Trusted Platform Module (TPM) to manage the list of trusted bootloaders, which are contained in the Allowed Signature Database (DB) and the Forbidden Signature Database (DBX)."
Secure Boot protects modern Windows and many Linux distributions by allowing only cryptographically signed boot components to run. The mechanism uses a chain of certificates in UEFI firmware, including the Key Exchange Key (KEK), the Allowed Signature Database (DB), and the Forbidden Signature Database (DBX), with TPM support for key management. Microsoft Production CA and UEFI CA certificates are part of the trust chain. Many PCs built since 2011 contain Microsoft KEK and UEFI CA certificates from 2011 that are slated to expire in June 2026. Updating those certificates requires access to the Platform Key managed by the OEM. Most users will be fine if systems receive OEM and OS updates.
Read at ZDNET
Unable to calculate read time
Collection
[
|
...
]