“Whether a proof of concept or not, Bootkitty marks an interesting move forward in the UEFI threat landscape, breaking the belief about modern UEFI bootkits being Windows-exclusive threats,” ESET researchers wrote. “Even though the current version from VirusTotal does not, at the moment, represent a real threat to the majority of Linux systems, it emphasizes the necessity of being prepared for potential future threats.”

  • chevy9294
    link
    fedilink
    English
    arrow-up
    5
    ·
    1 month ago

    Well… if you have your own keys (like I do) you have to store them somewhere. That somewhere is probably somewhere on a computer where they are used so you can update the kernel. If you have private keys, you can probably bypass secure boot.

    Is there a way to have private keys stored on a nitrokey that has to be plugged in for every kernel update?

    • Illecors@lemmy.cafe
      link
      fedilink
      English
      arrow-up
      8
      ·
      1 month ago

      Yes, failing to safeguard keys is fatal, but that applies to everything. But if fs you’re storing keys on is behind luks and they’re readable by root only - you’re as safe enough. There’re also LSMs like selinux that can increase the complexity of attack.

      I don’t know about nitrokey specifically, but TPM is an option (not good enough, imo) and a simple luks encrypted usb. You could get some convenience by storing the key to unlock it somewhere on the encrypted root.

      In general - you cannot stop a targeted attack no matter what, but staying safe from all the automated ones is doable.

      • chevy9294
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 month ago

        They are stored behind luks and I think they are readable only by root. But bootkit can probably only infect UEFI from Linux that is running on that machine. And to interact to UEFI you probably have to be root, right?

        I’ll look into more options, either store keys on a seperate luks usb key or on a hardware securety key like Nitrokey. For sbctl there is already a roadmap feature for hardware security keys, I hope this comes soon :)