oss-sec mailing list archives
Re: Microsoft Device Firmware Configuration Interface (DFCI) in Linux efivars directory
From: Jacob Bachmeyer <jcb62281 () gmail com>
Date: Sat, 11 May 2024 21:44:23 -0500
Solar Designer wrote:
Hi, Corey's message is confused and there's no indication in it whether the system was compromised, so that part doesn't need further discussion, but as a moderator I don't mind someone explaining Linux's (and other systems') exposure of the EFI variables and DFCI and what it means for security as well as what it does not.
While he is definitely somewhat confused, he claims at the start to have detected a compromise, but does not give details about the indications that led him to that conclusion.
As far as I can tell from a quick perusal, (landing at <URL:https://microsoft.github.io/mu/dyn/mu_feature_dfci/DfciPkg/Docs/Scenarios/DfciScenarios/>) it seems that DFCI "Zero Touch" is actually tightly bound to Microsoft cloud services, and there is supposed to be a local option to remove the zero touch certificate (thus disabling it more-or-less permanently) if DFCI is not in use on the machine. The example implies that the UEFI configuration tool ("BIOS setup") should provide this option.
-- Jacob
Current thread:
- Microsoft Device Firmware Configuration Interface (DFCI) in Linux efivars directory Corey Lopez (May 11)
- Re: Microsoft Device Firmware Configuration Interface (DFCI) in Linux efivars directory Solar Designer (May 11)
- Re: Microsoft Device Firmware Configuration Interface (DFCI) in Linux efivars directory Jacob Bachmeyer (May 13)
- Re: lsof "can't stat() fuse.${name} filesystem /run/user/1000/${dir}" Simon McVittie (May 11)
- Re: Microsoft Device Firmware Configuration Interface (DFCI) in Linux efivars directory Jacob Bachmeyer (May 13)
- Re: Microsoft Device Firmware Configuration Interface (DFCI) in Linux efivars directory Solar Designer (May 11)