If you use your computer with secure boot enabled, you should read this item, immediately! It appears that many PC vendors shipped devices with a 12-year-old PK key that was leaked in 2022, so on those computers, secure boot is essentially useless (much like putting a note on your front door that says “The door’s locked, and the key is under the door mat.”).
In the article, there’s a link to a scanning tool on Binarily’s website to scan your EFI/BIOS firmware to determine whether it’s vulnerable (uses the leaked PK key). To do this, if you don’t have a copy of your computer’s UEFI/BIOS firmware, follow these generalized steps:
- Reboot your computer, and while the POST screen is visible, note the UEFI/BIOS version number (usually at the bottom left or right of the screen).
- Go to your computer vendor’s website, and navigate to the support section, then navigate to the drivers download page for your computer model. There should be a UEFI/BIOS item in the list of drivers and firmware. Download the package that matches the version number you got from your computer’s POST screen.
- Open the linked article (above), and click the link to the “free scanning tool”.
- Click the “Upload a firmware binary to check for PKfail” link in the box near the top of the page.
- Navigate to where you downloaded/have the firmware file on your computer and click it to have it scanned,
After the scan finishes, you will be told whether your firmware’s vulnerable. If it is, return to where you downloaded the firmware file that matches your currently installed firmware version to see if a newer version is available. If so, download it, and install it according to the instructions provided by your computer vendor.
I hope this is helpful to others,
Ernie