“Whether a proof of concept or not, Bootkitty marks an interesting move forward in the UEFI threat landscape, breaking the belief about modern UEFI bootkits being Windows-exclusive threats,” ESET researchers wrote. “Even though the current version from VirusTotal does not, at the moment, represent a real threat to the majority of Linux systems, it emphasizes the necessity of being prepared for potential future threats.”

  • chevy9294@monero.town
    link
    fedilink
    English
    arrow-up
    0
    ·
    29 days ago

    Well… if you have your own keys (like I do) you have to store them somewhere. That somewhere is probably somewhere on a computer where they are used so you can update the kernel. If you have private keys, you can probably bypass secure boot.

    Is there a way to have private keys stored on a nitrokey that has to be plugged in for every kernel update?

    • Illecors@lemmy.cafe
      link
      fedilink
      English
      arrow-up
      0
      ·
      29 days ago

      Yes, failing to safeguard keys is fatal, but that applies to everything. But if fs you’re storing keys on is behind luks and they’re readable by root only - you’re as safe enough. There’re also LSMs like selinux that can increase the complexity of attack.

      I don’t know about nitrokey specifically, but TPM is an option (not good enough, imo) and a simple luks encrypted usb. You could get some convenience by storing the key to unlock it somewhere on the encrypted root.

      In general - you cannot stop a targeted attack no matter what, but staying safe from all the automated ones is doable.