3

I heard that with UEFI secure boot enabled a custom kernel module that is not signed will not run, hence a rootkit might be difficult to install.

Can a secure boot really block rootkit modules from being installed or is it just capable of blocking rootkits from loading during the system bootup?

secure boot : http://www.webopedia.com/TERM/M/microsoft_secure_boot.html

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
Kevin Parker
  • 197
  • 1
  • 10
  • 1
    Maybe you should add a little bit more information, this question is awnsarable, but only with a huge and broad awnser, try editing and adding to your question (i.e., links for reference) what you mean with a secure boot? what you mean with a signed rootkit etc., it will be easier for people to awnser then! :) – Lighty Oct 14 '14 at 09:43
  • 1
    [This might be a useful answer](http://security.stackexchange.com/a/69274/52676), though maybe not quite what you're looking for. – RoraΖ Oct 14 '14 at 11:27
  • Thanks raz for sharing that link,that clarifies all my doubts. – Kevin Parker Oct 14 '14 at 11:48

2 Answers2

6

UEFI secure boot ensures that the UEFI firmware loads and executes only signed UEFI applications (including bootloaders) and drivers. So an attempt to modify them by introducing a malware would be detected and rejected. A vulnerability or malware (including rootkits) could possibly be also signed in the loaded code or the components loaded next.

Can a secure boot really block rootkit modules from being installed or is it just capable of blocking rootkits from loading during the system bootup?

Secure boot does not protect your system from introducing a malware after the boot process finishes then the system behaves the same as without secure boot. To keep the boot process safe the signing chain of the loaded code must be ensured because there could be multiple stages of booting. See below.

Chain of software components

The overall security depends on the chain of the individual components:

  1. hardware - Security of all the software depends on the hardware it is running on.
  2. UEFI - The firmware takes care of secure boot including the management and storage of cryptographic keys used for code signature verification. The certificates stored in the UEFI variables are trusted by the UEFI secure boot.
  3. bootloader - This (with possible UEFI drivers and applications) is the only software (except UEFI itself) in the boot chain directly validated by the secure boot signature. All the next components listed below are not secured by the UEFI secure boot specification. To keep the whole booting procedure secure the bootloader and possible next booting components must implement code signature checking mechanisms similar to secure boot.
  4. second stage bootloader - optional component
  5. OS kernel - As the most complex component running most of the time offers the largest playfield for vulnerabilities.

Trustworthiness of the signing certificates

The trustworthiness of the signed bootloader depends on the signing keys which are loaded into the UEFI variables with trusted signing certificates. For example in some distributions of Linux a small bootloader called shim is being used to overcome the secure boot and load an unsigned second stage bootloader or kernel. So anyone who can write to the medium with the bootloader or kernel image could introduce any vulnerability or malware into it.

Shim in many current distributions is being used to load a code signed by a different key so usage of shim alone does not mean that the whole boot chain is not protected by signatures.

References

3

Secure Boot is one security technology, it is not complete. There can be attacks before Secure Boot, Intel created Boot Guard for that. Read this Apress book for better understanding of the various Intel silicon and firmware technologies: http://firmwaresecurity.com/tag/isbn-978-1-4302-6572-6/ Also, Secure Boot varies in strength by OS, see: http://firmwaresecurity.com/2015/07/17/secure-boot-strength-varies-by-linux-implementation/ Thanks, Lee http://firmwaresecurity.com/feed

Lee Fisher
  • 114
  • 2