Certain BIOS versions may include an AMI Test Key that could compromise Secure Boot protections - lu

Lenovo Security Advisory: LEN-7806

Potential Impact: Secure boot may be compromised by an attacker with local access

Severity**:** High

**Scope of Impact:**Lenovo-specific

Summary Description:

Secure Boot is a security standard to help make sure that your PC boots using only trusted software. When the PC starts, the firmware checks the signature of each piece of boot software, including firmware drivers (Option ROMs) and the operating system. If the signatures are good, the PC will boot into the trusted operating system.

A test certificate or “test key” was mistakenly included in the BIOS versions of some Lenovo systems running AMI BIOS firmware. This could cause Secure Boot to not function as expected on affected systems and could allow an attacker with local or physical access to the system to be able to boot the system with software that is not on the trusted boot list.

Mitigation Strategy for Customers (what you should do to protect yourself):

If users are running an affected BIOS version, they need to update their BIOS to the fixed version. Also, even if the system is currently running the latest unaffected BIOS version, if the system was shipped with the affected BIOS version, it may still be affected.

To determine if your specific system is affected, you can run the Microsoft PowerShell script available here. If the system contains the test key, this script will output a message saying “System is using the AMI Test certificate” and you should follow the steps below.

Once the system is running with an unaffected BIOS version, the following steps must be performed to replace the test key with a valid key:

1. Temporarily suspend or disable Bitlocker, if enabled

- For Windows 8, click Start, type “manage bitlocker” then select it from the resulting list, and select “Turn off BitLocker” if it is on.

- For Windows 10 click Start , type “manage bitlocker” then select it from the resulting list, click System and Security, and then click BitLocker Drive Encryption. Select “Turn off BitLocker” if it is on.

2. Enter the BIOS SETUP interface when the system is booting to update manually. Refer to your system’s documentation for instructions on entering the BIOS SETUP interface.

3. Go to Security -> Security Boot

4. Press “Enter” at “Reset To Setup mode” item to reset platform to setup mode

5. Press “Enter” at “Restore Factory Keys” item to change the Secure Boot status back to User mode

6. Save the setting and exit SETUP interface.

7. Re-enable Bitlocker if desired

Product Impact:

This issue only affects some Lenovo products with BIOS firmware provided by AMI. Affected products are listed below. Brands not listed, such as ThinkPad and IdeaPad, do not use AMI firmware and are not affected by this vulnerability.

To see if your specific system is affected, run the Microsoft PowerShell script available here.