oss-sec mailing list archives
Re: Microsoft Device Firmware Configuration Interface (DFCI) in Linux efivars directory
From: Solar Designer <solar () openwall com>
Date: Sat, 11 May 2024 13:21:23 +0200
Hi, Corey's message is confused and there's no indication in it whether the system was compromised, so that part doesn't need further discussion, but as a moderator I don't mind someone explaining Linux's (and other systems') exposure of the EFI variables and DFCI and what it means for security as well as what it does not. On Fri, May 10, 2024 at 01:19:35PM +0000, Corey Lopez wrote:
investigate other files on my system with the immutable attribute set by running this
command as root:
# find / -type f -exec lsattr {} + 2>/dev/null > immutable-list-find.txt
This led me the directory /sys/firmware/efi/efivars/ where I discovered efi variables
That's normal.
Microsoft advertises DFCI as a defense mechanism against rootkits, however it seems that it is being used as a UEFI bootkit.
No reason to think so.
I did discover loop devices on my system that I could not remove with the losetup command.
That's probably because they were in use. That's normal. Alexander
Current thread:
- Microsoft Device Firmware Configuration Interface (DFCI) in Linux efivars directory Corey Lopez (May 11)
- Re: Microsoft Device Firmware Configuration Interface (DFCI) in Linux efivars directory Solar Designer (May 11)
- Re: Microsoft Device Firmware Configuration Interface (DFCI) in Linux efivars directory Jacob Bachmeyer (May 13)
- Re: lsof "can't stat() fuse.${name} filesystem /run/user/1000/${dir}" Simon McVittie (May 11)
- Re: Microsoft Device Firmware Configuration Interface (DFCI) in Linux efivars directory Jacob Bachmeyer (May 13)
- Re: Microsoft Device Firmware Configuration Interface (DFCI) in Linux efivars directory Solar Designer (May 11)