Secure Boot Bypass Risk Threatens Nearly 200,000 Linux Framework Laptops (bleepingcomputer.com) 63
Roughly 200,000 Linux-based Framework laptops shipped with a signed UEFI shell command (mm) that can be abused to bypass Secure Boot protections -- allowing attackers to load persistent bootkits like BlackLotus or HybridPetya. Framework has begun patching affected models, though some fixes and DBX updates are still pending. BleepingComputer reports: According to firmware security company Eclypsium, the problem stems from including a 'memory modify' (mm) command in legitimately signed UEFI shells that Framework shipped with its systems. The command provides direct read/write access to system memory and is intended for low-level diagnostics and firmware debugging. However, it can also be leveraged to break the Secure Boot trust chain by targeting the gSecurity2 variable, a critical component in the process of verifying the signatures of UEFI modules.
The mm command can be abused to overwrite gSecurity2 with NULL, effectively disabling signature verification. "This command writes zeros to the memory location containing the security handler pointer, effectively disabling signature verification for all subsequent module loads." The researchers also note that the attack can be automated via startup scripts to persist across reboots.
The mm command can be abused to overwrite gSecurity2 with NULL, effectively disabling signature verification. "This command writes zeros to the memory location containing the security handler pointer, effectively disabling signature verification for all subsequent module loads." The researchers also note that the attack can be automated via startup scripts to persist across reboots.
All bets are off if you have physical access (Score:4, Interesting)
If you have physical access to the laptop, then all bets are off. Here's my anecdotal evidence and recent experience getting around UEFI so that I could actually install Linux on my laptop.
First, I had to boot into Windows that came installed. Yuck.
Next, I had to partition the existing hard drive within Windows.
After partitioning, I had to format the new partition within Windows.
Once the formatting was done, I had to write to the partition a Linux media installation, as my laptop didn't come with an optical drive and the bios specifically blocked me from booting with a USB drive (this was irritating).
Next, I had to go into the bios and setup a UEFI shim to point to the new partition I made, allowing me to even boot to the new partition.
Once I got to boot into this partition, the Linux install itself was an absolute breeze.
All and all it worked out as I use Linux 99% of the time. The most frustrating part now is whenever I boot into Windows, I have to MFA in every. single. time! because Windows doesn't like GRUB being the boot loader. Windows thinks it was tampered with, and requires the extra authentication. Thankfully, I rarely use Windows and it's really only there as an emergency if I NEED access to Windows only software.
Ironically, had I got a year or two older laptop, booting from USB would of been okay. This was specifically blocked by Dell in this model. Thanks jerks!
I'd also like to point out that Windows 11 and all the Dell preinstall literally took up 8gbs of ram idling...Xubuntu takes up less then 2gb idling. That's substantial when the entire laptop only has 16gb (I thought 16gb would be fine not realizing how horrendous Windows is with RAM, WTF Microsoft).
In closing, if I can get access to any kind of shell, I'll eventually be accessing the computer. If you really want security here, you need to do a full disc encryption with a STRONG password.
Re: (Score:3)
What laptop is this that won't allow enabling USB boot? I want to know so I can avoid buying it or recommending it to others.
Re: (Score:2)
Modern Thinkpads let you disable access to things such as USB boot with a password, and by all accounts it's decently well protected.
They also let you encrypt the boot drive with hardware encryption (no performance loss). Managed at the UEFI level, before the OS bootloader.
While a powerful attacker could still compromise the machine by say adding a hardware keylogger and then returning to collect your password, the reality is that unless you are up against state level adversaries that's not a realistic thre
Re: (Score:3)
On the other hand, by far the greatest threat to your laptop is someone wanting to steal it outright and sell it off. They're not going to bother with anything on it, just blow it away with a bootleg copy of Windows and call it a day.
The people looking to profit from information on your laptop will do it from half a world away while you are using it.
Re: (Score:2)
A lot of the ex-corporate Dells I used to buy referb all had USB boot disabled in the bios.
Re: (Score:2)
Surely you just go in and re-enable it, right? I am a bit baffled as to why the original poster had to go to such complicated lengths to install Linux.
Re: (Score:2)
It's a Dell Inspirion 15 3535. It works wonderful with Xubuntu. I used the list of known good hardware platforms from the ubuntu site to help narrow it down. It definitely caught me by surprise that they disabled the USB boot option. The prior year model didn't have this "feature".
Re: (Score:3)
You don't need physical access to install a bootkit, just root access, and full disk encryption would only protect against bootkit infection via an evil maid attack. The bootkits being discussed here get install by just running on top of the full OS with root privileges.
But on the other hand, bootkits are an extremely rare form of malware, likely the rarest type, and I think creating Secure Boot in response to it was a case of whipping a curious little problem into a crisis and then never letting a crisis g
Re: All bets are off if you have physical access (Score:2)
Re: (Score:3)
In newer Dell BIOS you'd have to enable Advanced BIOS settings (to the upper left in the BIOS setting screen) in order to get full BIOS control.
Then you can disable Secure Boot and set the hard drive to be AHCI instead of RAID just to make sure that you have best compatibility.
Re: (Score:2)
and set the hard drive to be AHCI instead of RAID just to make sure that you have best compatibility.
In my experience, you have to do that for Linux installers to even see the damn drive at all!
Re: (Score:1)
If you have physical access to the laptop, then all bets are off.
So defeatist. I guess we should just get rid of all security then. Why do I even have a password if all bets are off?
Re: (Score:2)
That's a long way of saying you had to click 3 things on the existing installed OS to prepare the computer, and have a USB stick prepared only for legacy boot.
Re: (Score:2)
Re: (Score:2)
I also ended up downloading other software to help accomplish all this. It wasn't precisely straight forward. Definitely made more difficult by the disabled USB option.
Re: (Score:2)
What computer are you using? I can install Linux fine on any Dell or Lenovo I've tried. UEFI has never got in my way. I looked at a friend's Toshiba one, and it didn't seem to have as many options, but it still had a Secure Boot key management interface.
Re: (Score:2)
After a bit of research while getting it setup, I learned this wasn't an issue prior to this model. So I believe you when you say you've not run into this, as this was the first model they decided to be this annoying about it. Most likely because they wanted to me to spend more money on a similar device that came pre-installed with Linux.
Re: (Score:2)
That's OK. (Score:5, Informative)
It's a good thing I never enabled secure boot on my Framework laptop.
Shouldda ran Windows! (Score:1)
Just kidding, please don't kill me!
Re: (Score:1)
Okay boys, you know what we have to do. Somebody hold him down while I reboot to the USB installer. Are we going Gnome or KDE this time?
Re: (Score:2)
FVWM2
Re: (Score:2)
CLI - he'll enjoy this most. Don't forget to remove the manual pages.
YUCK. (Score:2)
Someone does not just "run windows"
you get raped by getting a licence, and then having a forced upgrade that you don't want or need, and forced to install more spyware.
YUCK.
No, it does not (Score:5, Insightful)
"Secure" boot is not about security for the user. It is DRM, plain and simple. And it serves so that Linux and other non-Windows OSes are harder to install, because Microsoft holds the keys.
Re:No, it does not (Score:5, Insightful)
Yeah indeed, typical insight from gweihir. Let's follow your thought process:
a) Ignore the real malware listed in TFS and pretend secure boot doesn't have a user based benefit.
b) Ignore than 100% of secure boot options on the market come with a way for the user to disable it, or load their own custom keys which have zero to do with Microsoft.
c) Ignore the fact that installing Linux doesn't require secure boot and that the user can disable it,
c2) Ignore that many Linux distros come secure boot capable and that it's trivial to install Linux and enable secure boot for the Linux system.
Yep when you don't have a clue what you're talking about it's just DRM.
Re: (Score:2)
You really are a complete victim, are you?
Re: (Score:2)
Yes I am victimised by my knowledge of how this works. It's burden that you don't seem to bare in the slightest.
Re: (Score:1)
Re: (Score:2)
Exactly. If it were really about user security, it would be somewhat well maintained. It is not.
Re: (Score:2)
Exactly. If it were really about user security, it would be somewhat well maintained. It is not.
Horseshit. The maintenance isn't the issue, it's the underlying standard. You're so keen to jump onboard anyone who agrees with your view (an ignorant one at that) that you'll literally agree with any rubbish written. Put a bit more thought into your opinion rather than bleating at the sheep in front of you.
Re: (Score:2)
Different from you, I happen to be an expert in this space. You are just an amateur with an outsized ego. Here is a hint: Other people may have their action be informed by actual insight. In this case here, somebody made a good point and I agreed with it.
Yes, I am aware you cannot see that because to you, anybody that disagrees with your views must obviously be wrong. Please at least try to grow up and realize that not everybody operates on your current level of incompetence and arrogance. That you think I
Re: (Score:2)
Different from you, I happen to be an expert in this space.
Hahhahahahaha. Friday morning comedy gold. You've shown to be an expert in one thing: Appealling to authority, but you've not appealed to anything, in fact your post didn't even make a point. The only expertise you have to offer is telling others what expertise you have while posting rubbish, as evidence that when called out on your bullshit you never even attempt to make a counter point.
Thanks for starting my weekend in this way mate, it is always a good laugh chatting with you.
Re: (Score:2)
You really are deep in delusion. Well.
Always funny you you presume to tell me who and what I am, when I have hard proof here how wrong you are. Makes me just one thing: entirely unimpressed with your insighless ranting.
You are one thing though: A pretty good example for a really toxic IT person.
Re: (Score:2)
DRM is not DRM if you are in control of simply disabling it. It's not DRM if you can simply update the keys yourself. No one has control over you, and no one is managing your rights other than you.
Words have meanings, use them correctly.
Re: (Score:2)
It should be mandatory that every machine must be able to boot from media and that you are allowed to load your own keys.
Re: (Score:2)
Errr. No. It is mandatory that every machine must be able to boot from media and are allowed to load your own keys. It's literally a required part of the UEFI standard and complete implementation of it is mandatory as part of Windows hardware certification. Also booting from media is possible even without disabling secure boot if your USB device is setup with an appropriate secure boot key. For example the Ubuntu live image works just fine with secure boot unless you used a tool which screwed up the USB wri
Re: (Score:2)
Before Secure Boot, rootkits were common. Back in the day I fixed a huge number of machines that were infected by malware that modified the Windows SATA/IDE driver. You couldn't remove it from inside Windows because the modified driver hid the files from AV software. You had to connect the drive to another machine, or boot a Linux live CD, remove the malware, and then do a refresh install of Windows to replace the deleted driver files.
Secure Boot put a stop to that and many similar attacks. It is a very, ve
That's your problem right there. (Score:2)
>> Windows
That's your problem right there.
The good news is, it can easily be fixed.
Re: (Score:2)
Linux is just as vulnerable, and believe me I've tried it and it's not better than Windows for day-to-day use.
Re: (Score:2)
nope, it isn't as vulnerable.
Windows is typically used with too lax admin rights, allowing for installing malware.. Linux is not.
Re: (Score:2)
Linux is just as vulnerable
That is really not true. Ever tried to harden Windows or Linux? Ever tried to do actual system administration on either? Ever dealt with a vulnerability and observed how long it took to get a patch?
... and believe me I've tried it and it's not better than Windows for day-to-day use.
And that depends very much on what you do with it and which distro you use.
Re: (Score:2)
For hardening they are both annoying in different ways, but neither is better than the other.
For network admin, GPO and related tech is the better solution for most people. For local, Windows is usually better than arsing around with shitty config files.
Vulnerability wise it depends who is handling it. Microsoft were responsive the one time I dealt with them. On the Linux side, the developer of that component can be helpful, or not. The guy behind systemd won the "worst vendor response" award for his effort
Re: (Score:2)
That is simply not true. But I guess some people will massively overestimate the quality of the thing they are most familiar with.
Incidentally, the "guy behind systemd" works for Microsoft these days.
Re: (Score:3)
I should add that "systemd" is not part of Linux. It is part of one possible Linux init system. And it is likely of the worst one to be found. But, just as a data-point, one of the ways to make Linux more secure is to run it without systemd. I do that for all my installations. Does not even require any special effort. Try doing something like that on Windows.
Re: (Score:2)
That is what secureboot is used for, however it can be used for real useful purposes.
The most important step is to take control of the keys, which with framework you actually can do: I removed all keys but mine, and the machine works beatifully...
Re: (Score:2)
Sure. But which percentage of the user-base can do that? And have you noticed that "secure" boot comes with vulnerabilities, time and again? That kind of defeats the purpose to use it for actual beneficial security.
Re: (Score:2)
SSL implementations have vulnerabilities too, and that doesn't make it useless...
Re: (Score:2)
Not on that level. And you get updates for that within a reasonable time.
"fucking computer." (Score:1)
Not sure what you mean by "fucking computer"
strange kinks for sure. If you don't want, just stop getting fucked by your computer.
Oh no (Score:3)
Oh no... they'll just have to... patch their firmware like every other manufacturer has had to.
For those people who bought a Framework laptop, enabled secure boot and rely exclusively on that to protect their computer from booting into an unauthorised operating system.
P.S. their firmware page currently have 11 CVE fixes listed for the lasted firmware.
This is inevitable. ...
This is how manufacturers should do things.
It's really not even that important.
Making an article about it is scaremongering.
I don't see an article every time Dell has something like this, or Asus, or HP, or
The Way around all these hacks (Score:3)
Write your BIOS, with checksums if you like. In place of your BIOS chip, have a Device that CANNOT BE WRITTEN. There are several such devices. Many of them, EEproms, Various forms of RAM, actually can be written by switching the logic state of one pin. So techies, or pc repair people could rewrite the BIOS. Even a savvy user could with good manufacturer instructions. That's not smart. It's stupid. And in security, stupid works. No clever bit of code will rewrite a BIOS that can't perform that task in hardware. The hackers can and will have to go to hell.
Re: (Score:2)
Maybe I am missing something, but a non-writable BIOS is also a bit non functional. The bios (or UEFI in modern machines) tells your computer where the device is from which you want to boot. It also does other things like enable/disable net booting, enable/disable integrated peripherals, determine what happens on power loss/restore, even simple stuff like whether or not a key repeats when you hold it down.
If that is all preset in a non-writable chip you have made a computer that is useless for many people
Re: (Score:2)
With your statement "non-writable BIOS is non-functional" history will have to disagree. Because if that were true all computers before 2003 would never be usable. And I clearly remember computers being used in lots and lots of places, doing many diverse tasks. Besides that, before I had to enter in the draft, I got a temporary job in maintenance of bank computers and money counting machines. And I dealt with boatloads of these machines, as those were in rigid maintenance schedules.
Those devices used EEPROM
Re: (Score:2)
I agree, it is entirely possible to run a computer without the ability to modify the boot parameters, and it is the best way to run dedicated task hardware, because if it works then it works, and the only people who should be configuring those are people authorized/trained/equipped to do that. A lot of hardware from gas pumps to medical equipment and the aforementioned banking hardware should be run like this. However a general purpose home computer kinda needs to be configurable without additional hardwar
Re: (Score:2)
Before flash was even practical, computers kept BIOS on true ROM and used a small persistent storage commonly called CMOS for configuration. It could be a pain because the button battery that maintained it could die.
These days, you could use a small flash for configuration and a larger one with write disabled in hardware for the boot code.
Re: (Score:1)
Re: (Score:1)
Alas, UEFI and friend are really quite horrid (Score:2)
As a lawyer would say "not suitable for the purpose sold".
For a story about how Oxide avoided them, see "Holistic boot", at https://rfd.shared.oxide.compu... [shared.oxide.computer]
["Really quite horrid" is British for "<expletive deleted/> piece of <expletive deleted/> junk"]
Re: (Score:2)
For a story about how Oxide avoided them, see "Holistic boot", at
https://rfd.shared.oxide.compu... [shared.oxide.computer]
Thanks, that looks interesting, though I didn't have time to read all of it now. Your link didn't work, BTW. Fixed one here. [shared.oxide.computer]
On the other hand (Score:2)
This can be used to regain access to laptop you won that has been hijacked by DRM you don't want. Since it requires physical possession of the laptop, it doesn't pose much risk to the end user.
I just disable secure boot. If the device leaves my control long enough for someone to do something with it, it has to be treated as potentially compromised with or without secure boot. Why create an additional recovery roadblock for myself? Security is a funny thing if you think about it carefully enough.
Always lock