@EddieH, thanks much.
@somethingc00l, I would half-agree, but creating your own PK on Windows, then knowing how to apply it by obtaining and signing the KEK, DB, and DBx manually are quite the ordeal. If EVGA had their own PKI that was not released to subcontractors, unlike AMI, we could rest more assuredly that we don't need to spend weeks just to use our systems pretty safely. It could be put off indefinitely for those not overly concerned, or until we have time/done incrementally.
Microsoft's DG/CG readiness tool fails the HSTI blob test, and says NX protector and SMM mitigation is disabled. This might be ok for the average noob, as they prevent booting to anything but the OS drive and outdated or poor drivers may not function, but an option to enable them under Security options should exist. PAE/DEP is on for the OS, but not protected for the subsystem. This opens the door for reboot-to-UEFI-shell vectors (Win10's "reboot to system firmware option" is an example), as well as sleep-vectors, to program the EFI partition or the embedded firmware itself. The former does so on reboot, the latter takes advantage of the wake-up subroutine.
http://www.uefi.org/sites...-%20Securing%20SMM.pdfIf I recall correctly, MS enabled DG/CG support for some consumer editions of Creators Update and was already in the IoT Anniversary Edition. Its something to watch, trusted computing is the last major hurdle in ITsec for all OS types and on track to be a part of every-day computing. Making it noob friendly is what is currently in-the-works.
I'd love to see EVGA address all this and market themselves as the leaders in modern security and usability. They could go so far as to describe potential concepts, one being building a home "mainframe" for gaming, IoT services, and media, aka a NAS++, using microATX and miniITX mobos, and even hold contests for people to build and describe them. Could bring with it a more profound sense of company prestige and a wider "tinkering" market (its fun to do more than game or overclock when you get bored and know you can). They don't need to provide direct support if expensive, perhaps just offer a collection of links to MSDN's extensive library and the UEFI organization's PDFs. All ideas to increase market share.
post edited by Anewbis - 2017/06/09 14:13:31