|
|
|
|
|
|
by andrewnicolalde
2232 days ago
|
|
|
Hmmm, is it theoretically possible to sign the Windows bootloader (?) with your own custom keys to ensure that someone couldn't just fire up a stock Windows image? Though I'm not sure what sort of management challenges that would present if Microsoft ever decided to update their bootloader. Looking at the Microsoft documentation, doing this with SecureBoot could be pretty complicated: https://docs.microsoft.com/en-us/windows-hardware/drivers/br... |
|
|
> "Windows boot components: BootMgr, WinLoad, Windows Kernel Startup. Windows boot components verify the signature on each component. Any non-trusted components will not be loaded and instead will trigger Secure Boot remediation."
Plus, you would need to add some kind of check to verify that it's actually booting your image, or else the attacker could just copy your bootloader files.