May want to mention protection for initramfs hijacking

[noahbliss]

Regarding Linux, the secureboot document appears to cover the steps for enabling secureboot and also explains the general architecture for protections enabled with that technology, but there is a commonly overlooked abuse which was not mentioned. This abuse works against Redhat/Debian/other major distros' default implementations of secureboot and requires deliberate effort to mitigate.

Ultimately this stems from the limitation of secureboot being only able to verify the signature of a single EFI file on disk, but most distributions boot with 2 or 3. Mutilation of these unverified files can result in early-boot privileged code execution, potential disk key interception, and modification of kernel boot parameters which can severely cripple a machine's security posture.

I've worked on some documentation and a tool for remediating this kind of attack here: https://github.com/noahbliss/mortar

There are some other fantastic additional reading resources as well, but definitely a major design consideration when building a hardened Linux machine.

Additional resources: https://github.com/Snawoot/linux-secureboot-kit https://threat.tevora.com/secure-boot-tpm-2/

[bracketttc]

Other resources: https://safeboot.dev https://linuxboot.org