UEFI secure boot ensures that the UEFI firmware loads and executes only signed UEFI applications (including bootloaders) and drivers. So an attempt to modify them by introducing a malware would be detected and rejected. A vulnerability or malware (including rootkits) could possibly be also signed in the loaded code or the components loaded next.
Can a secure boot really block rootkit modules from being installed or
is it just capable of blocking rootkits from loading during the system
bootup?
Secure boot does not protect your system from introducing a malware after the boot process finishes then the system behaves the same as without secure boot. To keep the boot process safe the signing chain of the loaded code must be ensured because there could be multiple stages of booting. See below.
Chain of software components
The overall security depends on the chain of the individual components:
- hardware - Security of all the software depends on the hardware it is running on.
- UEFI - The firmware takes care of secure boot including the management and storage of cryptographic keys used for code signature verification. The certificates stored in the UEFI variables are trusted by the UEFI secure boot.
- bootloader - This (with possible UEFI drivers and applications) is the only software (except UEFI itself) in the boot chain directly validated by the secure boot signature. All the next components listed below are not secured by the UEFI secure boot specification. To keep the whole booting procedure secure the bootloader and possible next booting components must implement code signature checking mechanisms similar to secure boot.
- second stage bootloader - optional component
- OS kernel - As the most complex component running most of the time offers the largest playfield for vulnerabilities.
Trustworthiness of the signing certificates
The trustworthiness of the signed bootloader depends on the signing keys which are loaded into the UEFI variables with trusted signing certificates. For example in some distributions of Linux a small bootloader called shim is being used to overcome the secure boot and load an unsigned second stage bootloader or kernel. So anyone who can write to the medium with the bootloader or kernel image could introduce any vulnerability or malware into it.
Shim in many current distributions is being used to load a code signed by a different key so usage of shim alone does not mean that the whole boot chain is not protected by signatures.
References