this post was submitted on 27 Nov 2024
206 points (96.8% liked)

Technology

59675 readers
3293 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
L3s@fry.gs
L4s@fry.gs
L4s@lemmy.world
enu@lemmy.world
206
Found in the wild: The world’s first unkillable UEFI bootkit for Linux (arstechnica.com)
submitted 1 day ago by purrtastic@lemmy.nz to c/technology@lemmy.world
29 comments fedilink hide all child comments
 

“Whether a proof of concept or not, Bootkitty marks an interesting move forward in the UEFI threat landscape, breaking the belief about modern UEFI bootkits being Windows-exclusive threats,” ESET researchers wrote. “Even though the current version from VirusTotal does not, at the moment, represent a real threat to the majority of Linux systems, it emphasizes the necessity of being prepared for potential future threats.”

you are viewing a single comment's thread
view the rest of the comments
[–] Illecors@lemmy.cafe 64 points 1 day ago* (last edited 1 day ago) (4 children)

The Bootkitty sample ESET found is unable to override a defense, known as UEFI Secure Boot, that uses cryptographic signatures to ensure that each piece of software loaded during startup is trusted by a computer's manufacturer.

AKA not that big of a deal, yet. An article from another post about this also mentions GRUB explicitly as a requirement as well as PoC using self signed keys, which renders it sort of impossible to abuse.

UKI + your own keys + secure boot is still not broken.

[–] CriticalMiss@lemmy.world 2 points 8 hours ago (1 children)

How many distros support secure boot out of the box? IIRC it’s only Ubuntu and RHEL. The rest require hacking some shit together with self signed keys.

[–] Illecors@lemmy.cafe 1 points 3 hours ago

Don't know, been rolling with Gentoo for some time now.

I wouldn't trust "out of the box" support anyway as that would imply trusting microsoft keys.

[–] wewbull@feddit.uk 2 points 12 hours ago (1 children)

This sounds like a good thing. I don't care if the manufacturer of my equipment trusts the software. I care if I trust it.

[–] Illecors@lemmy.cafe 1 points 11 hours ago

It is a good thing!

[–] fuckwit_mcbumcrumble@lemmy.dbzer0.com 48 points 1 day ago (5 children)

Unfortunately a lot of people in the Linux world still hate secure boot because they associate it with locking your PC to only running windows. Never mind the fact that basically every big Linux distro plays nicely with secure boot these days, and has for a while now.

[–] mox@lemmy.sdf.org 15 points 20 hours ago (1 children)

because they associate it with locking your PC to only running windows.

They're not exactly wrong. BIOS/UEFI bugs that make it a royal pain to use secure boot with anything but Windows are pretty common.

[–] ftbd@feddit.org 6 points 14 hours ago (1 children)

And many mainboards also suck in this regard. On mine, I can set secure boot mode to either 'Windows OS' (which means secure boot on) or 'Other OS' (which means secure boot is off). Took me a couple hours to figure that out

[–] Kazumara@discuss.tchncs.de 1 points 8 hours ago

Can confirm. I've seen this on multiple boards. I think this was Asus nomenclature.

[–] Shdwdrgn@mander.xyz 30 points 1 day ago (3 children)

I associate it with the fight I've had every single time I tried to use it. It's never been a smooth process on any server I attempted to use it on. Usually I either run into problems with a system not wanting to properly boot the memory stick even with a full UEFI image flashed to it, or if I do get that to work I go through the whole installation process only to find the system unbootable for whatever reason. Eventually I just give up and do a standard installation because why should I have to work this hard to put an OS on a machine?

[–] charade_you_are@sh.itjust.works 13 points 1 day ago

I actually had a system that wouldn't initiate the video card because of secure boot and many other problems with over the years that I repaired them for a living. Left a very bad taste in my mouth but if it's actually improving I'll it again.

[–] Illecors@lemmy.cafe 4 points 1 day ago (1 children)

It is a system one has to understand fully, i.e. not like ssh, where you can understand connecting to a remote host without bothering about key pairs, x11 forwading, etc.

I was lucky enough to have figured out Gentoo enough where plugging in secure boot was just extending my own system update script. Admittedly, I don't know how much other distros fight back.

[–] Shdwdrgn@mander.xyz 6 points 1 day ago (1 children)

I'm on Debian, they've been providing UEFI images for a number of years so everything should "just work". In fact I have one server where things did just work and that's the only system using UEFI. Two other servers of the same model and BIOS version completely failed after numerous attempts so I finally said screw it and just did a normal install.

[–] Illecors@lemmy.cafe 2 points 14 hours ago (1 children)

Do you know how that works? Is it something like Ubuntu where Canonical uses some sort of chain from Microsoft or do you have to embed the cert they provide into UEFI yourself?

[–] Shdwdrgn@mander.xyz 2 points 7 hours ago

Sorry, I really haven't a clue. I just know once in awhile it does work, but usually it fails for me.

[–] 9tr6gyp3@lemmy.world 1 points 1 day ago (1 children)

Check out sbctl

[–] Shdwdrgn@mander.xyz 1 points 1 day ago (1 children)

Shouldn't this all be handled automatically by the Debian installer though? It seems weird that I would ever have to run other tools just to install a brand new system.

[–] 9tr6gyp3@lemmy.world 1 points 9 hours ago

Oh yeah Debian has their own documentation for SecureBoot. If thats not working though, check out sbctl.

[–] mlg@lemmy.world 11 points 1 day ago

The Fedora doc on this is a bit old but it's still mostly the same:

Secure boot activates a lock-down mode in the Linux kernel which disables various features kernel functionality:

  • Loading kernel modules that are not signed by a trusted key.
  • Using kexec to load an unsigned kernel image.
  • Hibernation and resume from hibernation.
  • User-space access to physical memory and I/O ports.
  • Module parameters that allow setting memory and I/O port addresses.
  • Writing to MSRs through /dev/cpu/*/msr.
  • Use of custom ACPI methods and tables.

The implementation of secure boot is still questionable to this day, but it is understandable that it doesn't always play nice with Linux. I do believe you can use hibernate now as long as you have an encrypted swap (LUKS).

I can definitely see the pain if you happen to be a kernel dev or use linux on any SBC with IO ports you want to mess with in userspace and not make en entire overkill kernel module for.

[–] Illecors@lemmy.cafe 7 points 1 day ago* (last edited 1 day ago)

Yea, I guess that initial total lack of understanding and big headlines has left a long-lasting scar. Admittedly, secure boot could be used to lock a machine down if the ability to turn it off and/or manage the keys yourself was removed.

We'll get there, eventually :)

[–] TheFogan@programming.dev 5 points 1 day ago

Never mind the fact that basically every big Linux distro plays nicely with secure boot these days, and has for a while now.

In my experience nicely is still pretty relative. It still seems to be the most common area things go wrong on my installs and place I have the hardest time working around...

and the bigger part, it's a solution to a problem that I've never seen happen in the wild, and really can't fathom happening on linux that doesn't involve a very dumb user running software from an unknown source as root.

[–] chevy9294@monero.town 5 points 20 hours ago (1 children)

Well... if you have your own keys (like I do) you have to store them somewhere. That somewhere is probably somewhere on a computer where they are used so you can update the kernel. If you have private keys, you can probably bypass secure boot.

Is there a way to have private keys stored on a nitrokey that has to be plugged in for every kernel update?

[–] Illecors@lemmy.cafe 7 points 16 hours ago (1 children)

Yes, failing to safeguard keys is fatal, but that applies to everything. But if fs you're storing keys on is behind luks and they're readable by root only - you're as safe enough. There're also LSMs like selinux that can increase the complexity of attack.

I don't know about nitrokey specifically, but TPM is an option (not good enough, imo) and a simple luks encrypted usb. You could get some convenience by storing the key to unlock it somewhere on the encrypted root.

In general - you cannot stop a targeted attack no matter what, but staying safe from all the automated ones is doable.

[–] chevy9294@monero.town 1 points 12 hours ago

They are stored behind luks and I think they are readable only by root. But bootkit can probably only infect UEFI from Linux that is running on that machine. And to interact to UEFI you probably have to be root, right?

I'll look into more options, either store keys on a seperate luks usb key or on a hardware securety key like Nitrokey. For sbctl there is already a roadmap feature for hardware security keys, I hope this comes soon :)