Sigma secure boot

Recently it was discovered that many PC manufacturers are installing a "debug" secure boot certificate in the UEFI motherboard firmware instead of a secure boot certificate that they generated themselves.

It turns out that the LattePanda Sigma is one of these.

What does this mean? The debug certificate allows OSes like Windows and Linux to boot securely and works as intended, but its private key is widely known because it's a debug certificate that purposely revealed the private key. Any hostile actor can use this private key to create their own software which will also boot securely, and this can happen before the OS like Linux or Windows has a chance to boot. This gives the hostile actor complete control of your PC before you boot your OS and with clever malware no antivirus or other detection software in the OS can discover it.

It does require that the hostile actor have physical access to your Sigma or else get admin privileges remotely, so the danger is not immediate for most people. But it should be remedied, which is done by LattePanda generating their own secure boot certificate with a new private key only they know and creating a BIOS update to install it in place of the debug certificate.

Steve Gibson of the Security Now! podcast has written up the details along with references at https://www.grc.com/isbootsecure.htm . He has also created a Windows tool "IsBootSecure.exe" available on that webpage which can verify if your UEFI firmware has the compromised debug certificate, and gives instructions on how to determine this if you run Linux. I don't know if other LattePanda PCs have secure boot, but if so they probably should be checked.