Found in the wild: The world’s first unkillable UEFI bootkit for Linux - eviltoast

“Whether a proof of concept or not, Bootkitty marks an interesting move forward in the UEFI threat landscape, breaking the belief about modern UEFI bootkits being Windows-exclusive threats,” ESET researchers wrote. “Even though the current version from VirusTotal does not, at the moment, represent a real threat to the majority of Linux systems, it emphasizes the necessity of being prepared for potential future threats.”

  • mlg@lemmy.world
    link
    fedilink
    English
    arrow-up
    11
    ·
    29 days ago

    The Fedora doc on this is a bit old but it’s still mostly the same:

    Secure boot activates a lock-down mode in the Linux kernel which disables various features kernel functionality:

    • Loading kernel modules that are not signed by a trusted key.
    • Using kexec to load an unsigned kernel image.
    • Hibernation and resume from hibernation.
    • User-space access to physical memory and I/O ports.
    • Module parameters that allow setting memory and I/O port addresses.
    • Writing to MSRs through /dev/cpu/*/msr.
    • Use of custom ACPI methods and tables.

    The implementation of secure boot is still questionable to this day, but it is understandable that it doesn’t always play nice with Linux. I do believe you can use hibernate now as long as you have an encrypted swap (LUKS).

    I can definitely see the pain if you happen to be a kernel dev or use linux on any SBC with IO ports you want to mess with in userspace and not make en entire overkill kernel module for.