Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SEDutil works with Windows 11 #43

Open
ChubbyAnt opened this issue Jul 11, 2022 · 5 comments
Open

SEDutil works with Windows 11 #43

ChubbyAnt opened this issue Jul 11, 2022 · 5 comments

Comments

@ChubbyAnt
Copy link
Owner

TLDR -> SEDutil works fine with Windows 11 if the PC is secure boot capable and you have secure boot disabled.

I thought that Windows 11 would not work with SEDutil due to the "secure boot requirement." This is not the case.

It turns out that to install Windows 11 the PC needs to be "secure boot capable" - but, secure boot does not need to be enabled to install Windows 11.
This was referenced Jul 11, 2022
Closed
Open
@love2scoot
Copy link

This is great news! I haven't walked through this yet, is there any requirement for a custom Win11 installer (RUFUS) or can a vanilla Win11 ISO be used on a machine with secure boot simply turned off?

@ChubbyAnt
Copy link
Owner Author

I yolod the Windows 11 upgrade from Windows 10 and it just worked. I have not yet tried a clean install yet.

@lcizzle
Copy link

lcizzle commented Jan 19, 2024

Sorry to drag this up again. I don't know all the details but why can't the PBA use one of the bazillion UEFI Shims out there?

Ventroy for example supports UEFI. Just have to import the key first boot and PBA works through this with Secure Boot on. It looks like there isn't a technical hurdle in the way since the PBA and Rescue but function perfectly with secure boot on through a 3rd party shim.

I wouldn't really question this kind of thing but some of the apps I use actually require Secure Boot on to function.

OpenSource POC here
https://github.com/ValdikSS/Super-UEFIinSecureBoot-Disk

Microsoft also provides UEFI signing to projects.

@lcizzle
Copy link

lcizzle commented Jan 19, 2024

Dang i'm stupid. I can just do the whole seutp and not install the PBA. Then run the PBA image from Ventroy/USB and unlock the drive that way with secure boot enabled. Probably safer that way as well since there won't be any PBA attack vector on the system to try and brute force.

@Blacklands
Copy link

Blacklands commented Jan 19, 2024
edited
Loading

Just one comment: One advantage of having a PBA on the drive's Shadow MBR is that the PBA is in a place that is read-only (enforced by the drive itself). So someone can't just come along and modify it. And you're automatically carrying it with you with the drive, nothing else needed.
(Not that there aren't many other attack vectors, of course.)

But yeah, Secure Boot is better to have since it protects a bunch more parts of the whole chain, right?
It would be neat if some sedutil fork got their PBA signed so it would just work with Secure Boot...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@lcizzle @Blacklands @love2scoot @ChubbyAnt