What is UEFI Secure Boot

What is Secure Boot?
Secure Boot is one feature of the latest Unified Extensible Firmware Interface (UEFI) 2.3.1 specification (Errata C). The feature defines an entirely new interface between operating system and firmware/BIOS.

When enabled and fully configured, Secure Boot helps a computer resist attacks and infection from malware. Secure Boot detects tampering with boot loaders, key operating system files, and unauthorized option ROMs by validating their digital signatures. Detections are blocked from running before they can attack or infect the system.

How does Secure Boot work?
Secure Boot works like a security gate. Code with valid credentials gets through the gate and executes. However, Secure Boot blocks at the gate and rejects a code that has bad credentials, or no credential.

Intel® Desktop Boards embed the default Secure Boot keys for Windows 8*. These boards, and required BIOS versions, have been tested and passed the Windows Hardware Certification Kit (WHCK) for Windows 8.

The Secure Boot mechanism relies on public/private key pairs to verify the digital signature of all firmware and software before execution.

The UEFI "Secure Boot" technology consists of a collection of keys, categorized as follows:
  • Platform Key (PK)
  • Key Exchange Key (KEK)
  • Whitelist Database (DB)
  • Blacklist Database (DBX)
On a system with Secure Boot enabled and configured, each of these items will contain the public portions of public/private key pairs. The keys are used to authorize various components of the firmware and software.

1. The Platform Key (PK) establishes a trust relationship between the platform owner and the firmware (UEFI BIOS) by controlling access to the KEK database. There is a single PK per platform, and the public portion of the PK is installed into the system, typically during production at the OEM (Original equipment manufacturer). The private portion of the PK is necessary for modifying the KEK database.

2. The Key Exchange Key (KEK) database establishes a trust relationship between the firmware and the OS. The KEK consists of a list of public keys that can be checked against for authorization to modify the whitelist database (DB) or blacklist database (DBX). There can be multiple KEKs per platform. The private portion of a KEK is necessary for modifying the DB or DBX.

3. The whitelist database (DB) is a list of public keys that are used to check the digital signature of a given firmware or software. To discuss the DB, let's assume the system is booting and is about to execute the bootloader for selecting an OS to boot. The system will check the digital signature of the bootloader using the public keys in the DB, and if this bootloader was signed with a corresponding private key, then the bootloader is allowed to execute. Otherwise, it is blocked as unauthorized.

4. Conversely, the blacklist database (DBX) is a list of public keys known to correspond to malicious or unauthorized firmware or software. Any software signed with a corresponding private key from this database will be blocked.

Over the years, experts observed several attacks employing rootkits that were specifically developed to target the firmware to achieve persistence and bypassing security solutions.

But the Secure Boot mechanism allows the execution of only software that is trusted by the Original Equipment Manufacturer (OEM).

Injecting a malicious code in the UEFI/BIOS firmware of a device could allow attackers to achieve persistence on the device and make the malware undetectable to common Anti-malware solutions.

As the very latest reports have confirmed that TrickBot, one of the most active botnets, in the world, gets a new improvement by adding a UEFI/BIOS Bootkit Feature.

The infamous TrickBot gets a new improvement, its authors have added a new feature dubbed “TRICKBOOT” designed to exploit well-known vulnerabilities in the UEFI/BIOS firmware and inject malicious code, such as bootkits.

The TrickBoot functionality was documented by experts from Advanced Intelligence (AdvIntel) and Eclypsium.

“This new functionality makes use of readily available tools to check devices for well-known vulnerabilities that can allow attackers to read, write, or erase the UEFI/BIOS firmware of a device. This marks a significant step in the evolution of TrickBot as UEFI level implants are the deepest, most powerful, and stealthy form of bootkits. by adding the ability to canvas victim devices for specific UEFI/BIOS firmware vulnerabilities,

TrickBot actors are able to target specific victims with firmware-level persistence that survives re-imaging or even device bricking capability.”

Thanks to the new improvement TrickBot can carry out UEFI attacks that could be also part of hacking campaigns of nation-state actors.

Please let me know of what do you think about this in the comment section. You can also share with all if the information shared here helps you in some manner.

Kindly write your comment on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.