Solar Designer wrote:
Hi,
Corey's message is confused and there's no indication in it whether the
system was compromised, so that part doesn't need further discussion,
but as a moderator I don't mind someone explaining Linux's (and other
systems') exposure of the EFI variables and DFCI and what it means for
security as well as what it does not.
While he is definitely somewhat confused, he claims at the start to have
detected a compromise, but does not give details about the indications
that led him to that conclusion.
As far as I can tell from a quick perusal, (landing at
<URL:https://microsoft.github.io/mu/dyn/mu_feature_dfci/DfciPkg/Docs/Scenarios/DfciScenarios/>)
it seems that DFCI "Zero Touch" is actually tightly bound to Microsoft
cloud services, and there is supposed to be a local option to remove the
zero touch certificate (thus disabling it more-or-less permanently) if
DFCI is not in use on the machine. The example implies that the UEFI
configuration tool ("BIOS setup") should provide this option.
-- Jacob
