
Is secure boot redundant? - treyX
So I have a general understanding of how secure boot works but I just read the paper on the LOJAX rootkit and that made me wonder: if the UEFI provides a way for users to add their own keys to sign EFI binaries, what prevents a malicious author from manually deleting the KEK keys and replacing them? Wouldn&#x27;t that make the whole concept of secure boot useless?
======
wmf
Before adding new keys you have to go into setup mode which should be
impossible to do programmatically. So in theory malware cannot add keys.

