CVE-2022-21894
shim
CVE-2022-21894 | shim | |
---|---|---|
5 | 20 | |
277 | 810 | |
- | 2.0% | |
2.4 | 6.7 | |
9 months ago | 4 days ago | |
C | C | |
The Unlicense | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
CVE-2022-21894
-
Stealthy UEFI malware bypassing Secure Boot enabled by unpatchable Windows flaw
ESET described what BlackLotus does to exploit baton drop:
-
BlackLotus UEFI bootkit: Myth confirmed
CVE-2022-21894 PoC: Secure Boot Security Feature Bypass Vulnerability https://github.com/Wack0/CVE-2022-21894
-
First in-the-wild UEFI bootkit bypassing UEFI Secure Boot
The write-up I saw suggests that revoking the Windows bootloader would cause existing install and restore images to fail to boot even with Secure Boot disabled because it checks its own signature, which would be pretty amazing if true: https://github.com/Wack0/CVE-2022-21894
- Baton Drop (CVE-2022-21894): Secure Boot Security Feature Bypass Vulnerability
shim
- Critical bug that exists in every Linux boot loader signed in the past decade
-
Signing a UEFI module
Microsoft doesn't really sign other people's code for UEFI. They do sign shim (https://github.com/rhboot/shim) which will look at other keys the user registered with UEFI to load other components to enable you to write custom third party UEFI modules while still supporting secure boot.
-
The vendor-locking is for your own safety. Do not resist.
In this case, the distros first boot loader is shim, which is signed by Microsoft. Shim is FOSS: https://github.com/rhboot/shim
-
SBAT for rEFInd
How do I get dual boot set up and running? There doesn't seem so much documentation about this sbat chicanery as it was introduced to shim in 2021 and patched in rEFInd a bit more than a month ago, so I suppose not enough people have had this trouble yet.
-
Microsoft VS BlackLotus Malware
Secure boot still isn't "secure" at all because microsoft has signed multiple bootloaders with their own keys, which exist only to chain load a second bootloader. See https://github.com/rhboot/shim and https://blog.hansenpartnership.com/linux-foundation-secure-boot-system-released/
-
First in-the-wild UEFI bootkit bypassing UEFI Secure Boot
A new mechanism called SBAT (https://github.com/rhboot/shim/blob/main/SBAT.md) is now used to allow revocation of groups of bootloaders rather than individual hashes in order to mitigate the resource consumption
-
Ultimate guide to Pop OS secure boot with NVIDIA.
{ echo "sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md" echo "systemd-boot,1,systemd,systemd-boot,1,https://systemd.io" } > sbat.csv
- How to add an SBAT section to grub and resign?
-
Unable to install Fedora 36 with secure boot enabled.
Yeah, that incident instigated a totally new approach to revoking bad bootloaders that everybody (including Microsoft) should be using nowadays. So I guess HP just never got the memo.
- Invalid image when trying to boot Nobara Project USB image (both Gnome and KDE)
What are some alternatives?
Ventoy - A new bootable USB solution.
tpm-km - yet another pack of scripts for TPM2+Luks
CVE-2020-0796 - CVE-2020-0796 - Windows SMBv3 LPE exploit #SMBGhost
tpm-luks
bootkit-samples - Bootkit sample for firmware attack
tpm2KeyUnlock - Adds an automated unlock function based on TPM policy installation
AreWeAntiCheatYet - A comprehensive and crowd-sourced list of games using anti-cheats and their compatibility with GNU/Linux or Wine.
tpm2-initramfs-tool - Tool used in initramfs to seal/unseal FDE key to the TPM
WoeUSB - A Microsoft Windows® USB installation media preparer for GNU+Linux
stig - TUI and CLI for the BitTorrent client Transmission
tremc - Curses interface for transmission [Moved to: https://github.com/tremc/tremc]
uefi-ntfs - UEFI:NTFS - Boot NTFS or exFAT partitions from UEFI