Why Secure Boot Matters: Preventing Unauthorized Code Execution

As the technology advances, cyber threats are becoming more sophisticated and powerful than ever. In such an ever-evolving technological landscape, ensuing the integrity of systems right from the moment they power on is critical. Secure Boot is one of the important security mechanisms that’s designed to prevent malicious or unauthorised code from being loaded and executed during the system boot process (aka. pre-execution environment). Secure Boot plays a crucial role in protecting systems from rootkits, malware and the firmware attacks by verifying the authenticity of firmware and bootloaders using cryptographic signatures – code signing certificates, checksums, integrity checks etc.

In this blog, we’ll explore what Secure Boot is, how it works, its significance, and the implementation best practices.

What is Secure Boot?

Secure Boot is a security standard developed to protect systems from running malicious and untrusted code during the boot process. Secure Boot ensures that only trusted and digitally signed components – software, firmware & bootloaders are loaded when system boots. This effectively prevents rootkit and bootkit from compromising the system.

Core components of Secure Boot

• UEFI Firmware: UEFI modern replacement for legacy BIOS that provides secure and flexible interface between Operating System and the underlying hardware.
• PKI (Public Key Infrastructure): PKI enables cryptographic verification of firmware and bootloader integrity. It also helps to establish chain of trust through certificates and digital certificates that ensure only authenticated and untampered components are loaded during the boot process.
• Platform Key (PK): A root of trust that controls the security of system’s firmware. Platform Key serve as a highest authority to manage secure boot keys and policies within the UEFI firmware. It also used to sign and authorise updates to the secure boot keys database – KEK, db, dbx, etc.
• Key Exchange Keys (KEKs): Act as a layer between Platform Key and the database that dictates which software is allowed or denied during the boot process. KEK helps to ensure that the software components are signed by trusted authority before they’re allowed to run on an Operating System.
• Database of Trusted Keys (db): Is simply a list of digital certificates, cryptographic keys, and hash values that defines which software, firmware, OS kernel, drivers are safe to run during the boot process.

How Secure Boot Works

1. Trusted Boot Path
   Secure Boot depends on public key cryptography to establish chain of trust that authenticate and verifies software components such as firmware, bootloader, drivers, and OS kernel before execution. These components must be digitally signed by the trusted certificate authorities – i.e. Microsoft, Linux distributions, software maintainers etc. If untrusted or tampered components are detected, Secure boot prevent it from loading or halts the boot process.
2. Cryptographic Signature Verification:
   Secure Boot uses digital signatures to validate the authenticity and integrity of components that are loaded and executed during the system boot phase such as firmware, bootloader, drivers, and OS kernel. UEFI maintains a database of trusted keys and revoked keys, namely db & dbx respectively. These databases help to determine whether the software component is permitted to load and execute.
3. Hardware Trust:
   Secure Boot works along with Trusted Platform Modules to enhance the security by:
   • Ensuring Boot Integrity: TPM stores boot component’s cryptographic configurations securely that helps in detecting tampering and unauthorised modifications.
   • Preventing Rollback Attacks: Attackers often tries to replace the secure boot loader with the older or vulnerable bootloader. TPM helps to detect such attempts and ensure that only secure and up-to-date bootloader and boot components are loaded.
   • Measured Boot support: TPM stores the hashed values of boot components which further used for an integrity checks and remote attestation.

Risks of Unauthorized Code Execution

Inadequate configuration of Secure Boot or disabling it altogether makes the system vulnerable to various security threats including:

Rootkits and Bootkits

• Rootkits: Malicious software (aka. Malware) that designed to conceal its presence and alter system files and processes to gain unauthorised system access. For example, the first UEFI rootkit LoJax was found in the wild and persisted through the OS reinstalls. This has shown how important it is to secure the boot process.
• Bootkits: Advanced form of rootkits that specifically targets the bootloader and tries to gain a complete control over the system before any security tool becomes active.

Firmware Attacks
To gain a persistent control over a system, attackers may inject a malicious firmware or manipulate the existing firmware. Kaspersky researchers have discovered the MoonBounce malware in 2021 which was embedded into the UEFI firmware. It was used to disable windows security tools and bypass UAC – User Account Control.

Ransomware and Advanced Persistent Threats (APTs)
Sophisticated attacks use low-level malware to encrypt data & disks, steal credentials or establish persistent control even before the OS loads its security measurements. Security researchers at Eclypsium and Advanced Intelligence (AdvIntel) have discovered a TrickBoot malware in December 2022. TrickBoot was developed to detect vulnerabilities in firmware, specifically BIOS and UEFI. It enables attackers to establish a persistent control, disable OS-level security defences and compromise the firmware.

Unauthorized OS and Kernel Loaders
In the absence of Secure Boot attackers can replace the OS loader with an altered or rouge version and circumvent security measures, execute malicious code and compromise the system. An Evil Maid attack, publicly demonstrated by Joanna Rutkowska (a cybersecurity researcher and founder of Invisible Things Lab) in 2009 was used in various attacks to tamper with firmware, bootloaders and encryption keys to bypass other security measures. The name came from an idea where an attacker like hotel made can gain an access to unattended system, install malicious software and compromise the system.

How Secure Boot Prevents Unauthorized Code Execution

Digital Signature Verification
Secure Boot ensure that the components loaded and executed during the boot process are verified and signed by the trusted certification authorities. This prevents execution of unsigned and tampered bootloaders which makes it harder for attackers to inject malicious and compromised firmware and kernel modules.

Protection Against Firmware Tampering
Firmware has remained a high-value target for an attackers as compromised firmware provides a greater control over the system. Secure Boot prevents firmware modifications by verifying the updates against list of trusted authorities such as Microsoft, Linux etc. In the event of altered firmware, system halts the boot process stopping further security compromise.

Defense Against Rootkits and Bootkits
Rootkits and bootkits attempts to compromise system before an operating system are loaded and security controls have become active. Secure Boot prevents the execution of rootkit and bootkit by ensuring that the components loaded during boot process are verified and signed by the authorised vendors.

Secure OS Booting
Secure Boot protects operating system’s core components from unauthorised manipulation. It verifies the integrity of bootloader, OS kernel and drivers. Secure Boot prevents kernel-mode malware which are notoriously difficult is detection once operating system is loaded.

Integration with TPM for Enhanced Security
Secure Boot works alongside the Trusted Platform Module (TPM) to boost boot security. TPM securely stores cryptographic keys and verifies system integrity upon the boot. Additionally, TPM helps in detecting and blocking advanced boot-time attacks including firmware-level threats.

Best Practices for Implementing Secure Boot

To accelerate the benefits of Secure Boot and protect against unauthorised code execution, effective implementation of Secure Boot is a key. Below are some of the key settings to look for:

1. Enable Secure Boot from the BIOS/UEFI firmware setting during the system startup.
2. Ensure firmware and the bootloader is digitally signed and verified by the trusted authorities.
3. Regularly check for an update for an installed firmware and automate it as much as possible.
4. Use digitally signed operating systems such as Windows, Linux, Ubuntu, etc. that supports Secure Boot and always verifies the signature of OS before installing.
5. Ensure cryptographic keys and certificates are stored in the UEFI Secure Boot database to verify boot components.
6. Remove unwanted and unauthorised keys from the database to reduce attack surface area.
7. Leverage TPM-based security features such as Microsoft Device Guard, Linux Integrity Measurement Architecture or boot attestation to validate boot components.
8. Audit secure boot logs regularly and leverage SIEM tools to detect unauthorised changes and failed verifications effectively.
9. Utilize measured boot and Runtime Integrity monitoring with Secure Boot to identify and respond promptly to the tampering.
10. Implement Endpoint Detection and Response (EDR) tools to detect advanced threats such as rootkits and firmware attacks.

Final Thoughts

Secure boot is an important security addition that protects against rootkits, bootkits, unauthorised code execution and advanced attacks targeting firmware. It significantly reduces the attack surface by ensuring that only digitally singed and verified software components are loaded and executed during the system boot. As cyber landscape is rapidly evolving, implementing Secure Boot effectively is essential for ensuring the system integrity and data security. Whether you’re an individual or experienced system admin, enabling and configuring Secure Boot should be the highest priority to protect against firmware threats.