WebProNews

Tag: Secure Boot

  • openSUSE Begins Enforcing Secure Boot Kernel Lockdown

    openSUSE Begins Enforcing Secure Boot Kernel Lockdown

    Linux distro openSUSE has begun enforcing Kernel Lockdown when Secure Boot is enabled, creating issues for many users.

    Kernel Lockdown was introduced in version 5.4 of the Linux kernel and is designed to help protect the kernel from tampering and unauthorized modification, and serves as an important security feature. It works together with Secure Boot, which is a system to ensure the bootloader process is running legitimate, trusted code signed by Microsoft-controlled master keys.

    While openSUSE has long supported Secure Boot, it did not have Kernel Lockdown enabled for its Tumbleweed distro. Because Tumbleweed is a rolling distro, where updates are pushed out as they become available instead of waiting for a point release, leaving Kernel Lockdown disabled made it easier for users to deal with unsigned kernel modules and drivers, such as Nvidia drivers.

    Evidently, according to a Reddit thread that also links to an openSUSE mailing list, Microsoft evidently refused to continue signing openSUSE’s bootload shim unless Kernel Lockdown was enabled. As a result, beginning with kernel 6.2.1, openSUSE Tumbleweed will enable Kernel Lockdown whenever Secure Boot is also enabled.

    Microsoft’s reasons for insisting on Kernel Lockdown being enabled are easy to understand. Without it, Secure Boot is essentially useless, giving anyone who had it enabled a false sense of security.

    At the same time, users that rely on Nvidia drivers on the fast-moving Tumbleweed now have a choice to make: either disable Secure Boot or manually sign those modules so that the kernel can load them.

    Even for users without Nvidia cards, hibernation is another casualty of the change, and no longer works on systems with Secure Boot enabled, although there is ongoing discussion about how to re-enable it with Secure Boot.

    Contrary to many opinions, while Microsoft does serve as the central signing authority, Secure Boot is not a Microsoft attempt to control people’s hardware, as evidenced by the fact that users can sign their own modules. openSUSE provides instructions on how to do so in the following link:

    https://en.opensuse.org/SDB:NVIDIA_drivers#Secureboot

  • BlackLotus Malware Is the First to Bypass Secure Boot

    BlackLotus Malware Is the First to Bypass Secure Boot

    Computer security became a little more challenging, with the BlackLotus malware becoming the first to bypass Secure Boot.

    Secure Boot is a method of signing the kernel and various boot components, ensuring that no malicious software can be inserted into the boot process and compromise a machine. While there have been many claims of malware that can bypass secure boot, BlackLotus is the first.

    According to ESET malware analyst Martin Smolár, “the first publicly known UEFI bootkit bypassing the essential platform security feature – UEFI Secure Boot – is now a reality.”

    Smolár goes on to discuss ESET’s findings, including the fact that BlackLotus can compromise even “the latest, fully patched Windows 11 systems with UEFI Secure Boot enabled.”

    The malware uses a vulnerability that was patched more than a year ago because “the affected, validly signed binaries have still not been added to the UEFI revocation list. BlackLotus takes advantage of this, bringing its own copies of legitimate – but vulnerable – binaries to the system in order to exploit the vulnerability.”

    In many ways, a bootkit like BlackLotus is the Holy Grail of exploits because the bootkit has “full control over the OS boot process and thus capable of disabling various OS security mechanisms and deploying their own kernel-mode or user-mode payloads in early OS startup stages.”

    Because the bootkit hijacks the process early on, attackers can even enroll their own keys in the system so that the malware can have unfettered access without tripping any security measures.

    ESET’s research is disturbing on many levels, not the least of which is the fact that BlackLotus can be delivered both off and online. This means an attacker does not need physical access to a device in order to compromise it.

    To make matters worse, it appears the vulnerability BlackLotus exploits is not the only one.

    “UEFI Secure Boot stands in the way of UEFI bootkits, but there are a non-negligible number of known vulnerabilities that allow bypassing this essential security mechanism,” writes Smolár. “And the worst of this is that some of them are still easily exploitable on up-to-date systems even at the time of this writing – including the one exploited by BlackLotus.”

    At this point, there are not absolute mitigation measures, only a combination of things that can reduce the likelihood of a compromise. Once a computer is compromised, the safest thing to do is to reinstall it and use the mokutil utility to delete the signed key BlackLotus deposits that enables it to bypass Secure Boot.