Secure Boot: Preventing Evil Maid Attacks

TL;DR

This guide shows you how to protect your computer from attacks where someone replaces your operating system with a malicious one (like an ‘evil maid’ attack). We’ll focus on using Secure Boot and checking the boot process. It covers UEFI, TPM, and basic steps for verifying your system hasn’t been tampered with.

Understanding the Risks

An attacker could physically access your computer while it’s off and install a modified operating system or bootloader. This gives them complete control. Secure Boot helps prevent this by only allowing trusted software to start during boot-up.

1. Check Your UEFI Settings

1. Access UEFI/BIOS: Restart your computer and press the key to enter the UEFI settings (usually Delete, F2, F10, or Esc – check your motherboard manual).
2. Find Secure Boot: Look for a setting called ‘Secure Boot’. It’s often in the ‘Boot’, ‘Security’, or ‘Authentication’ section.
3. Enable Secure Boot: Make sure it’s enabled. If disabled, enable it. You might need to set a UEFI password first.
4. Check Boot Order: Verify that your trusted boot device (usually the hard drive with your operating system) is listed as the primary boot option.

2. TPM (Trusted Platform Module)

A TPM is a hardware security chip that can store cryptographic keys used to verify the integrity of your system. It’s not essential, but it adds an extra layer of protection.

1. Check for TPM: In Windows, open Command Prompt as administrator and run

   tpm.msc

   . If a window opens showing TPM information, you have one.

2. Enable TPM (if available): In UEFI settings, look for a ‘TPM’ section and enable it if it’s disabled.

3. Verify Boot Integrity

Regularly check that your operating system hasn’t been modified.

1. Windows: Use System File Checker (SFC). Open Command Prompt as administrator and run

   sfc /scannow

   . This scans for corrupted or altered system files.

2. Linux: Use a tool like AIDE (Advanced Intrusion Detection Environment) to create a baseline of your system files, then regularly compare the current state against that baseline.
   Install AIDE:

   sudo apt install aide

   Initialize database:

   sudo aide --init

   Update database after changes:

   sudo aide --update

   Check for changes:

   sudo aide --check

3. Bootloader Verification: Some distributions offer tools to verify the integrity of the bootloader (e.g., GRUB). Consult your distribution’s documentation.

4. Physical Security

Secure Boot is useless if someone has easy physical access.

• Lock Your Computer: Always lock your computer when unattended.
• BIOS Password: Set a strong BIOS/UEFI password to prevent unauthorized changes to settings.
• Tamper-Evident Seals: Consider using tamper-evident seals on the computer case to detect physical intrusion.

5. Full Disk Encryption

Encrypting your entire hard drive means that even if someone steals it, they can’t access the data without the decryption key.

• Windows: Use BitLocker Drive Encryption.
• Linux: Use LUKS (Linux Unified Key Setup).

6. Regular Updates

Keep your operating system and firmware up to date. Updates often include security patches that address vulnerabilities.