Product SiteDocumentation Site

1.5. Potential Secure Boot Risks

Secure Boot will not protect your PC from most malware or attackers. Secure Boot itself protects the boot phase of a system, but does not protect against attacks against your running system or data. In Fedora if you use Secure Boot, what modules the kernel loads can be restricted, but no additional protection is provide against user space malware. The initial ramdisk (initrd) disk image used during boot is not protected by this feature, and could contain malicious code.

1.5.1. Forced removal of features in Secure Boot mode

We currently use a blacklist approach to disable known-unsafe kernel functionality. In some cases, specific functionality has been disabled. In most cases such functionality is obscure and seldom used. Currently, the list of restricted functionality includes:
  • modification of device memory address maps through "setpci", and writes to that memory from user space via sysfs
  • hibernate (also known as suspend to disk)
  • kexec and kdump (addressing this is a work in progress)
  • writes to Machine Specific Registers writes via the msr kernel module.
  • the acpi_rsdp command line option, which is used to specify custom ACPI data
  • io operations on /dev/kmem
In addition, use of systemtap modules is restricted to those modules which have been signed with an appropriate certificate. It is recommended that such a certificate be generated on-site, taking care to follow appropriate security practices for storage and use of a signing certificate. When using a site-local certificate, it can be enrolled in the machine's local database using the mokutil utility, which will then require a reboot before taking effect. Upon rebooting, shim will start MokManager to present you with an interface to enroll the certificate.

Warning

It is critically important that proper precautions be employed when using site-local certificates, so that they cannot be found and used by an attacker to subvert module security. Treat such certificates as you would any critical secrets, and follow industry best practices for cryptographic keys and certificates.