/r/netsec is a community-curated aggregator of technical information security content. Our mission is to extract signal from the noise — to provide value to security practitioners, students, researchers, and hackers everywhere.
Intel BootGuard has kept most Skylake/Kaby-Lake/Coffee-Lake laptops locked away from coreboot – until now.
At the end of 2024, Ubuntu developer Mate Kukri introduced deguard, a small utility that leverages CVE-2017-5705 inside ME 11.x to disable BootGuard fuses in SRAM. The result: previously “un-coreboot-able” machines – e.g. Lenovo T480/T480s and Dell OptiPlex 3050 – can boot unsigned firmware again. It has been presented and discussed at the Dasharo Developers vPub 0xE, you can watch the presentation and look through the slides below.
🔹 What deguard does
"Downgrades ME via SPI flash overwrite"
"Patches BootGuard fuses on-the-fly"
"Lets you sign nothing at all – coreboot just runs"
🔹 Why it matters
"Opens the door for community coreboot ports on 8th-gen Intel laptops"
"Gives Libreboot & vendors like NovaCustom a path to newer hardware"
"Great teaching example of how not to design a root-of-trust"
▶ 10-min talk + live demo video / slides (free):
https://cfp.3mdeb.com/developers-vpub-0xe-2025/talk/WVJFQD/
Slides direct PDF: https://dl.3mdeb.com/dasharo/dug/9/7.introduction-to-deguard.pdf
Happy to answer questions, share flashing notes, or compare against other BootGuard work-arounds.