TL;DR
BIOS/UEFI malware can pretend that Secure Boot is enabled, even when it isn’t. It does this by manipulating the boot process and reporting false status information to the operating system. This allows the malware to load before security features kick in, compromising your system. Detecting this requires careful inspection of UEFI variables and potentially comparing against known-good firmware images.
Understanding Secure Boot
Secure Boot is a feature of UEFI (Unified Extensible Firmware Interface) designed to ensure that only trusted software can boot on a computer. It works by verifying the digital signatures of boot loaders, operating system kernels, and other critical components before they are allowed to run.
How Malware Fakes Secure Boot
Malware targeting BIOS/UEFI often aims to disable or bypass security features like Secure Boot. However, completely disabling it can be easily detected by the OS. A more sophisticated approach is to fake its presence:
- Manipulating UEFI Variables: The malware alters key UEFI variables that report on Secure Boot status. These variables are read by the operating system to determine if Secure Boot is active.
- Creating Fake Certificates: Malware can inject its own certificates into the UEFI database, making it appear as a trusted boot component.
- Hooking Boot Services: The malware intercepts calls related to Secure Boot verification and returns false positive results.
- Modifying Boot Order: It changes the boot order to load malicious code before the OS’s security checks are performed.
Detecting Fake Secure Boot
Identifying this type of attack can be challenging, but here’s a step-by-step guide:
- Check UEFI Variables: Use the
efivarutility (available on most Linux distributions) to inspect key variables. Look for inconsistencies or unexpected values.sudo efivar -l | grep SecureBootPay close attention to variables like
SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c. - Verify Boot Loader Signatures: Examine the signatures of your boot loader and operating system kernel using tools like
mokutil(on Linux) or PowerShell cmdlets on Windows.mokutil --sb-state - Inspect Firmware Logs: Check UEFI firmware logs for any suspicious entries related to Secure Boot. The location of these logs varies depending on the motherboard manufacturer.
- Compare Against Known Good Configuration: If possible, compare your current UEFI configuration with a known-good baseline from a trusted source (e.g., another identical system).
- Use Firmware Analysis Tools: Specialized tools like UEFITool can disassemble and analyze the firmware image to identify malicious code or altered settings.
Warning: Incorrectly modifying your UEFI firmware can render your system unusable. Proceed with extreme caution.
- Check TPM Status (if applicable): If you’re using a Trusted Platform Module (TPM), verify its status and logs for any signs of tampering.
tpm2_getcap properties-variable
Mitigation
- Keep Firmware Updated: Regularly update your BIOS/UEFI firmware to the latest version from the manufacturer. These updates often include security patches and improvements.
- Enable Secure Boot (Correctly): Ensure that Secure Boot is properly enabled in your UEFI settings, and that you understand its configuration options.
- Use Strong Passwords: Protect your UEFI setup with a strong password to prevent unauthorized changes.
- Be Careful What You Install: Avoid installing software from untrusted sources, as it may contain malicious code.
- Regular System Scans: Perform regular scans with reputable anti-malware software that can detect BIOS/UEFI threats.