Our great sponsors
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
The write-up I saw suggests that revoking the Windows bootloader would cause existing install and restore images to fail to boot even with Secure Boot disabled because it checks its own signature, which would be pretty amazing if true: https://github.com/Wack0/CVE-2022-21894
A new mechanism called SBAT (https://github.com/rhboot/shim/blob/main/SBAT.md) is now used to allow revocation of groups of bootloaders rather than individual hashes in order to mitigate the resource consumption
https://github.com/hardenedvault/bootkit-samples
The short-term solution for workaround is to protect the OS runtime. Otherwise you'd have to build the defense-in-depth at very infrastructure level from scratch with hardware, firmware and OS with attestation service not only based on the "confidential computing" but typically TCG's trusted computing.