It seems the issue here is that initramfs is not signed, which makes this attack possible.
If it is signed and an evil maid modifies the initramfs itself, it will break the secure boot process and the user will be notified that their system has been tampered with. This should indicate that the secure boot protection is working.
If initramfs is not signed and it drops to the debug shell, then the attacker can make any changes to your system without it affecting secure boot, since it has already passed the protection. At least that’s my understanding when I read this.
This is true, unfortunately some Linux users have been conditioned to “just turn off Secure Boot” without understanding what this actually means and entails.
Despite considering that I need to setup secure boot for my laptop, I have kept it on hold for a bit too long.
But then again, considering the area I am in, I can hardly expect someone to try and steal my data or try to put a ransomware or similar thing, if it means having to get physical access for it. Much higher chance for someone to just steal and sell the thing as is.
There are probably cases where turning off Secure Boot is fine. If you make that decision for yourself and are aware of the implications, go ahead. My remark wasn’t against users turning it off, but rather against the advice of “just turn it off lol”
Yeah, that’s probably just people who read the initial comments from back when secure boot keys were not user configurable (and support wasn’t available in Linux) and kept on echoing it all the way to the present.
Kinda similar to the “Linux is just secure” echoers, who might have started from some proper argument explaining what kinds of security problems don’t exist in systems developed using Linux and why they don’t require installing a 24/7 antivirus background process. Because people tend to make catchphrases. I too sometimes, forget the implications and tend to make them.
Depends on the OS, but you can generally have mkinitcpio handle generating new UKIs after updates and also have it trigger something like sbctl to re-sign images.
If someone has physical access then surely they can change the initramfs without having to use the debug shell?
It seems the issue here is that initramfs is not signed, which makes this attack possible.
If it is signed and an evil maid modifies the initramfs itself, it will break the secure boot process and the user will be notified that their system has been tampered with. This should indicate that the secure boot protection is working.
If initramfs is not signed and it drops to the debug shell, then the attacker can make any changes to your system without it affecting secure boot, since it has already passed the protection. At least that’s my understanding when I read this.
This is true, unfortunately some Linux users have been conditioned to “just turn off Secure Boot” without understanding what this actually means and entails.
I am guilty of this too.
Despite considering that I need to setup secure boot for my laptop, I have kept it on hold for a bit too long.
But then again, considering the area I am in, I can hardly expect someone to try and steal my data or try to put a ransomware or similar thing, if it means having to get physical access for it. Much higher chance for someone to just steal and sell the thing as is.
There are probably cases where turning off Secure Boot is fine. If you make that decision for yourself and are aware of the implications, go ahead. My remark wasn’t against users turning it off, but rather against the advice of “just turn it off lol”
Yeah, that’s probably just people who read the initial comments from back when secure boot keys were not user configurable (and support wasn’t available in Linux) and kept on echoing it all the way to the present.
Kinda similar to the “Linux is just secure” echoers, who might have started from some proper argument explaining what kinds of security problems don’t exist in systems developed using Linux and why they don’t require installing a 24/7 antivirus background process. Because people tend to make catchphrases. I too sometimes, forget the implications and tend to make them.
That makes sense. Would a signed initramfs be possible though? Since it’s usually rebuilt after most system updates?
Depends on the OS, but you can generally have
mkinitcpiohandle generating new UKIs after updates and also have it trigger something likesbctlto re-sign images.