Security News > 2020 > September > Worried about bootkits, rootkits, UEFI nasties? Have you tried turning on Secure Boot, asks the No Sh*! Agency
The American surveillance super-agency's 39-page explainer [PDF] covers UEFI security and, in particular, how folks can master Secure Boot and avoid switching it off for compatibility reasons.
Secure Boot is a mechanism that uses cryptography to ensure you're booting an operating system that hasn't been secretly meddled with; any addition of a bootkit or rootkit should be caught by Secure Boot.
"Firmware is stored and executes from memory that is separate from the operating system and storage media. Antivirus software, which runs after the operating system has loaded, is ineffective at detecting and remediating malware in the early-boot firmware environment that executes before the operating system. Secure Boot provides a validation mechanism that reduces the risk of successful firmware exploitation and mitigates many published early-boot vulnerabilities."
The best way to avoid trouble, says No Such Agency, is to simply avoid turning off Secure Boot in the first place.
Because of this, the agency advises government agencies that are particularly paranoid about their network security to check the Secure Boot settings on all machines to make sure they've set up the proper protections and disabled any bypasses.
News URL
https://go.theregister.com/feed/www.theregister.com/2020/09/16/nsa_secureboot_guide/