The objective of this work package is to identify the root cause of a security issue which can lead to malicious actors being able to use a Secure Boot Configuration Policy (SBCP) to disable critical Windows integrity verification processes.

• Download the analysis

Table of Contents

1 Introduction
1.1 Zusammenfassung (german)
1.2 Executive Summary
1.3 Concept and Terms
2 Technical Analysis
References
Abbreviationss

Summary

The SBCP is a Secure Boot entity that stores critical Windows settings. These are read and processed by the Windows boot manager to control different aspects of the Windows system, for example, enforcement of integrity verification at system startup. The Windows boot manager is a Windows component involved in the operating system’s boot process. Therefore, this work package describes the process in which the Windows boot manager reads and processes the Secure Boot Configuration Policy (SBCP) when Windows 10 is started.

The integrity and authenticity of the SBCP is verified based on a digital signature, which must be issued by Microsoft. Therefore, the SBCP may be considered a Microsoft-, or Windows-specific, entity. The scenario in which a valid, Microsoft-signed SBCP that may be used to disable security-relevant Windows boot settings is made available to third parties poses a security risk. This is because malicious actors may deploy such a policy at targeted Windows platforms. The issue documented is the consequence of such a scenario; that is, the root cause of the issue is not an implementation or a design flaw, but the fact that a valid, Microsoft-signed SBCP that may be used to disable critical Windows integrity verification processes has been made available to third parties.