In my recent blog post on the BlackLotus UEFI bootkit, we discussed how big a problem the firmware supply chain poses to Microsoft Windows bootloaders, showing how the BatonDrop (CVE-2022-21894) vulnerability can bypass both device attestation and secure boot.