PKfail is the name given by the well known security firm Binarly to a critical and widespread vulnerability in the Secure Boot ecosystem, caused by the long-term misuse of platform keys (PKs) that were reused across production devices. Many of these keys were explicitly marked as "DO NOT TRUST" or "DO NOT SHIP" and were originally intended only for internal testing.
The root cause traces back to American Megatrends Inc. (AMI), one of the most prominent UEFI firmware vendors (also known as an IBV, or Independent BIOS Vendor). AMI provided example PKs as part of their firmware development kits, which were never meant to be used in shipping products. However, these sample keys ended up being widely adopted by OEMs and board manufacturers without proper replacement.
As a result, at least 215 device models from manufacturers such as Acer, Dell, Gigabyte, Intel, Supermicro, Fujitsu, HP, Lenovo, and others have firmware that accepts these Platform Keys.
In December 2022, the Platform Key that had been improperly used across production devices was exposed in the public GitHub repository github.com/raywu-aaeon/Ryzen2000_4000. Although the repository was later deleted, it remains accessible through the following archives:
- Web Wayback Machine: Github raywu-aaeon/Ryzen2000_4000 Snapshot
- Web Wayback Machine: Github raywu-aaeon/Ryzen2000_4000 Download Zip file
Inside the archive, under "Keys/FW/AmiTest/", is the file "FW_priKey.pfx", an encrypted Platform Key explicitly marked "DO NOT TRUST", yet used in production firmware. The .pfx file is password-protected, but the password is just four characters long, abcd, making it trivial to crack.
This leak effectively grants anyone access to the root of trust on affected devices. A malicious actor can use the key to sign untrusted bootloaders or UEFI applications, allowing the installation of persistent and stealthy UEFI bootkits.
- Web Binarly: PKfail: Untrusted Platform Keys Undermine Secure Boot on UEFI Ecosystem
- Youtube Video: Binarly - Critical Disclosure: PKfail - Undermine UEFI Secure Boot
- Github: Vulnerability Research BRLY-2024-005
- Youtube Video: Binarly - Proof of Concept for PKfail (Windows version)
- Youtube Video: Binarly - Proof of Concept for PKfail (Linux version)
- Youtube Video: LABScon24 Replay - PKfail, Supply-Chain Failures in Secure Boot Key Management, Matrosov & Pagani
- Web Binarly: PKfail Two Months Later, Reflecting on the Impact
- Youtube Video: Binarly - Combining a Secure Boot Bypass with a Bootkit on Windows 11
- Youtube Video: Dave's Garage - Windows Secure Boot Compromised! What You Need to Know by a Retired Microsoft Engineer
- Web Ars Technica: Secure Boot is completely broken on 200+ models from 5 big device makers
- Web KIWI Farms: PKFail - 'Secure Boot' isn't because pajeets working for companies based in Worse China are lazy and do nothing but copy sample code
- Web Wayback Machine: Github raywu-aaeon/Ryzen2000_4000 Snapshot
- Web Wayback Machine: Github raywu-aaeon/Ryzen2000_4000 Download Zip file
- Web Microsoft: Windows Secure Boot Key Creation and Management Guidance
- Github: Microsoft's Secure Boot open-source repository
- Github: CERT Coordination Center - Mitigations & detection tools for PKfail
- Github: Detected Products vulnerable to PKfail
- Web PKfail: Check if your firmware is affected by PKfail