You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Regarding Linux, the secureboot document appears to cover the steps for enabling secureboot and also explains the general architecture for protections enabled with that technology, but there is a commonly overlooked abuse which was not mentioned.
This abuse works against Redhat/Debian/other major distros' default implementations of secureboot and requires deliberate effort to mitigate.
Ultimately this stems from the limitation of secureboot being only able to verify the signature of a single EFI file on disk, but most distributions boot with 2 or 3. Mutilation of these unverified files can result in early-boot privileged code execution, potential disk key interception, and modification of kernel boot parameters which can severely cripple a machine's security posture.
There are some other fantastic additional reading resources as well, but definitely a major design consideration when building a hardened Linux machine.
Regarding Linux, the secureboot document appears to cover the steps for enabling secureboot and also explains the general architecture for protections enabled with that technology, but there is a commonly overlooked abuse which was not mentioned.
This abuse works against Redhat/Debian/other major distros' default implementations of secureboot and requires deliberate effort to mitigate.
Ultimately this stems from the limitation of secureboot being only able to verify the signature of a single EFI file on disk, but most distributions boot with 2 or 3. Mutilation of these unverified files can result in early-boot privileged code execution, potential disk key interception, and modification of kernel boot parameters which can severely cripple a machine's security posture.
I've worked on some documentation and a tool for remediating this kind of attack here:
https://github.com/noahbliss/mortar
There are some other fantastic additional reading resources as well, but definitely a major design consideration when building a hardened Linux machine.
Additional resources:
https://github.com/Snawoot/linux-secureboot-kit
https://threat.tevora.com/secure-boot-tpm-2/
The text was updated successfully, but these errors were encountered: