0

I have secure boot enabled and require signing of kernel modules before loading. The key used for signing is on an external drive to reduce chances of the key being compromised and being used to sign a malicious kernel module. Is there any way to prevent root from disabling secure boot via mokutil --disable-validation. An attacker could simply disable secure boot validation after shim loads, so the BIOS would have no idea, but unsigned kernel modules could load. This is what I am trying to mitigate or make more difficult.

Improve this question
6
  • If someone has obtained root access to your PC you're already compromised irrevocably and any protections in place become meaningless. Commented Aug 14, 2020 at 14:49
  • Isn't it possible to confine the root user using mandatory access controls like selinux? Commented Aug 14, 2020 at 15:01
  • Secure boot does not protect against an attacker that has physical access to the machine. You need physical access to disable secure boot in the way you describe. If you can't prevent physical access by untrusted users, I suggest setting a BIOS password to prevent unauthorized reboots. Commented Aug 14, 2020 at 15:39
  • @JohanMyréen "An attacker could simply disable secure boot validation after shim loads, so the BIOS would have no idea, but unsigned kernel modules could load", this is possible via mokutil --disable-validation Commented Aug 14, 2020 at 15:56
  • 2
    @johndoe Yes, but finishing the disabling requires physical access. Commented Aug 14, 2020 at 18:17

1 Answer 1

Reset to default
0
  • Set bios passphrase
  • Encrypt your hard drive and store the key somewhere else
  • Disable default ssh
  • Disable default RDP
  • Set strict Firewall rules

As much as I know, no one yet was able to crack or bypass Windows Bitlocker. For Ubuntu, if it is high configured it will be super hard to break through , Else, everything still possible...

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.