From Ars Technica: Secure Boot is completely broken on 200+ models from 5 big device makers | Ars Technica
(Detection methods are at end of article.)
Research group Binarly’s original report (PDF) can be opened/downloaded from here: PKfail: Untrusted Platform Keys Undermine Secure Boot on UEFI Ecosystem
(The Appendix with list of affected OEMs/models runs from page 18 through 45.)
Is PureBoot and/or the Librem Key affected by this in any way?
For me (on an x86 desktop)
efi-readvar -v PK
gives
Variable PK has no entries
and
efi-readvar
gives
Variable PK has no entries
Variable KEK has no entries
Variable db has no entries
Variable dbx has no entries
Variable MokList has no entries
Maybe that indicates that I turned Secure Boot off. Or?
Could be.
FWIW, I own (1) a 2012 laptop from a Linux laptop vendor, (2) a 2017 laptop that came with (only) Linpus Lite OS preloaded, (3) a Microsoft Surface Go2 from which I’ve nuked Windows, and (4) a Dell micro from which I’ve nuked Windows. They all now run Linux Mint, and use grub to boot.
The 2017 formerly-Linpus laptop and the Dell do return a PK value, while the 2012 Linux laptop and the Surface Go2 return Variable PK has no entries.
But fortunately they aren’t listed among the affected machines.
I think a pre-requisite here is that your computers are using UEFI (rather than BIOS) and then there’s a question over whether the setting for Secure Boot matters.
I would be cautious about that. How was that list arrived at? Did the researchers test every machine that they could get their hands on? or every machine on the planet? Maybe your “2012 laptop” is just too old for the researchers to get their hands on?
Or did the researchers base the list off firmware brand and version?
Anyway, you should be looking for the certificate (if any are listed at all) that says “DO NOT SHIP” or “DO NOT TRUST”.