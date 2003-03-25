from the uefi-is-good-for-what-ails-ya dept.
UEFI, or Unified Extensible Firmware Interface, is a small, insecure, embedded operating system touted as a replacement for computer BIOS. OS hacker and small scale farmer Sami Tikkanen has a guest post over at Techrights debunking UEFI hype and Microsoft's lies, yet again. UEFI has a lot of baggage and controversy. Some here may remember the debates prior to its forced roll out.
More than a year ago I wrote a document that I named "UEFI fact sheet". The purpose was to create a more truthful counterpart to a similarly named document which the UEFI forum was spreading on various Internet sites. For a long time my document was the first search result on most search engines when searching for "UEFI fact sheet". Recently I noticed that Bing (which is owned and maintained by Microsoft) had put my document to the second page of search results, and the first result now points to a disinformation document that is published by the UEFI forum.
For some reason the UEFI firmware is often being advocated by telling actual lies about both UEFI and BIOS, which is supposedly meant to be completely replaced by UEFI. Although these lies are technically not true, they have somehow achieved the status of an "official truth", to such extent that those claims are now everywhere and it is easier to find online sources that support them than it is to find those that don't. Those lies are being spread in such a determined manner that if you try to correct those claims in the articles of the Finnish Wikipedia, the changes are immediately reverted and you even get personally attacked by the user who reverted the changes.
In general the most hardworking UEFI advocates seem to be people who don't do stuff like install alternative operating systems on their computers. They certainly don't write computer code that would have something to do with the motherboard's firmware or interface with the peripheral devices.
The need for UEFI-type motherboard firmware is usually reasoned with seven main arguments: [...]
Coreboot is a Free and Open Source option to replace UEFI, and generally considered safer. Some OEMs provide the option to provide Coreboot.
Previously:
(2024) Secure Boot is Completely Broken on 200+ Models From 5 Big Device Makers
(2023) Stealthy UEFI Malware Bypassing Secure Boot Enabled by Unpatchable Windows Flaw
(2022) Responsible Stewardship of the UEFI Secure Boot Ecosystem
(2022) Chinese APT Deploys MoonBounce Implant in UEFI Firmware
(2021) Upgrading a Motherboard's BIOS/UEFI (the Hard Way)
and many more ...
Related Stories
https://www.downtowndougbrown.com/2021/12/upgrading-a-motherboards-bios-uefi-the-hard-way/
A couple of weeks ago I found a really good deal on a Socket AM4 motherboard that supports the newest AMD Ryzen CPUs. The motherboard is an ASRock A520M/ac. It's a very basic motherboard which doesn't appear to be sold by any of the usual retailers anymore, but I couldn't pass up on the deal, especially with the potential it had for being a fun learning project.
The reason I got such a good deal on it was because it was sold in non-working condition, but the seller and I both had a pretty good hunch about what was wrong. The seller said that they had bought it as an open box unit, but couldn't get it to POST. However, they had only tried CPUs in it that were not compatible with the original BIOS version. I decided to have some fun and see if that was indeed the only problem. I didn't have an older CPU available to easily test that theory. I did have a new Ryzen 7 5700G, which is only supported by BIOS revision P1.60 or newer.
An interesting read for those of us who are happy to work at the hardware level.
Chinese APT deploys MoonBounce implant in UEFI firmware:
Security researchers have unveiled MoonBounce, a custom UEFI firmware implant used in targeted attacks.
The implant is believed to be the work of APT41, a Chinese-speaking sophisticated hacking group also known as Winnti or Double Dragon.
On January 20, Kaspersky researchers said that at the end of last year, the team uncovered a case of Unified Extensible Firmware Interface (UEFI) compromise caused by the modification of one component in the firmware – a core element called SPI flash, located on the motherboard.
"Due to its emplacement on SPI flash which is located on the motherboard instead of the hard disk, the implant is capable of persisting in the system across disk formatting or replacement," the team noted.
Not only did the tweak to the firmware result in persistence at a level that is extremely difficult to remove, the team says that the firmware image was "modified by attackers in a way that allowed them to intercept the original execution flow of the machine's boot sequence and introduce a sophisticated infection chain."
The developer of the MoonBounce UEFI rootkit is said to have a deep and thorough understanding of how UEFI systems work.
"The source of the infection starts with a set of hooks that intercept the execution of several functions in the EFI Boot Services Table, namely AllocatePool, CreateEventEx and ExitBootServices," the researchers explained. "Those hooks are used to divert the flow of these functions to malicious shellcode that is appended by the attackers to the CORE_DXE image, which in turn sets up additional hooks in subsequent components of the boot chain, namely the Windows loader."
https://mjg59.dreamwidth.org/60248.html
After I mentioned that Lenovo are now shipping laptops that only boot Windows by default, a few people pointed to a Lenovo document that says:
"Starting in 2022 for Secured-core PCs it is a Microsoft requirement for the 3rd Party Certificate to be disabled by default."
"Secured-core" is a term used to describe machines that meet a certain set of Microsoft requirements around firmware security, and by and large it's a good thing - devices that meet these requirements are resilient against a whole bunch of potential attacks in the early boot process. But unfortunately the 2022 requirements don't seem to be publicly available, so it's difficult to know what's being asked for and why. But first, some background.
[...] Given the association with the secured-core requirements, this is presumably a security decision of some kind. Unfortunately, we have no real idea what this security decision is intended to protect against. The most likely scenario is concerns about the (in)security of binaries signed with the third-party signing key - there are some legitimate concerns here, but I'm going to cover why I don't think they're terribly realistic.
The first point is that, from a boot security perspective, a signed bootloader that will happily boot unsigned code kind of defeats the point. Kaspersky did it anyway. The second is that even a signed bootloader that is intended to only boot signed code may run into issues in the event of security vulnerabilities - the Boothole vulnerabilities are an example of this, covering multiple issues in GRUB that could allow for arbitrary code execution and potential loading of untrusted code.
BlackLotus represents a major milestone in the continuing evolution of UEFI bootkits:
Researchers on Wednesday announced a major cybersecurity find—the world's first-known instance of real-world malware that can hijack a computer's boot process even when Secure Boot and other advanced protections are enabled and running on fully updated versions of Windows.
Dubbed BlackLotus, the malware is what's known as a UEFI bootkit. These sophisticated pieces of malware hijack the UEFI— short for Unified Extensible Firmware Interface—the low-level and complex chain of firmware responsible for booting up virtually every modern computer. As the mechanism that bridges a PC's device firmware with its operating system, the UEFI is an OS in its own right. It's located in an SPI-connected flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch.
[...] The second thing standing in the way of UEFI attacks is UEFI Secure Boot, an industry-wide standard that uses cryptographic signatures to ensure that each piece of software used during startup is trusted by a computer's manufacturer. Secure Boot is designed to create a chain of trust that will prevent attackers from replacing the intended bootup firmware with malicious firmware. If a single firmware link in that chain isn't recognized, Secure Boot will prevent the device from starting.
While researchers have found Secure Boot vulnerabilities in the past, there has been no indication that threat actors have ever been able to bypass the protection in the 12 years it has been in existence. Until now.
[...] To defeat Secure Boot, the bootkit exploits CVE-2022-21894, a vulnerability in all supported versions of Windows that Microsoft patched in January 2022. The logic flaw, referred to as Baton Drop by the researcher who discovered it, can be exploited to remove Secure Boot functions from the boot sequence during startup. Attackers can also abuse the flaw to obtain keys for BitLocker, a Windows feature for encrypting hard drives.
Previously:
Keys were labeled "DO NOT TRUST." Nearly 500 device models use them anyway.
In 2012, an industry-wide coalition of hardware and software makers adopted Secure Boot to protect against a long-looming security threat. The threat was the specter of malware that could infect the BIOS, the firmware that loaded the operating system each time a computer booted up. From there, it could remain immune to detection and removal and could load even before the OS and security apps did.
The threat of such BIOS-dwelling malware was largely theoretical and fueled in large part by the creation of ICLord Bioskit by a Chinese researcher in 2007. ICLord was a rootkit, a class of malware that gains and maintains stealthy root access by subverting key protections built into the operating system. The proof of concept demonstrated that such BIOS rootkits weren't only feasible; they were also powerful. In 2011, the threat became a reality with the discovery of Mebromi, the first-known BIOS rootkit to be used in the wild.
Keenly aware of Mebromi and its potential for a devastating new class of attack, the Secure Boot architects hashed out a complex new way to shore up security in the pre-boot environment. Built into UEFI—the Unified Extensible Firmware Interface that would become the successor to BIOS—Secure Boot used public-key cryptography to block the loading of any code that wasn't signed with a pre-approved digital signature. [...]
On Thursday, researchers from security firm Binarly revealed that Secure Boot is completely compromised on more than 200 device models sold by Acer, Dell, Gigabyte, Intel, and Supermicro. The cause: a cryptographic key underpinning Secure Boot on those models that was compromised in 2022. In a public GitHub repository committed in December of that year, someone working for multiple US-based device manufacturers published what's known as a platform key, the cryptographic key that forms the root-of-trust anchor between the hardware device and the firmware that runs on it. The repository was located at https://github.com/raywu-aaeon/Ryzen2000_4000.git, and it's not clear when it was taken down.