I have dual boot Windows 11 Home Edition and Debian based setup on my laptop.
Distributor ID: Kali
Description: Kali GNU/Linux Rolling
Release: 2024.1
Codename: kali-rolling
After realizing a security breach on my Kali system I discovered /etc/network/interface
had the immutable attribute set while trying to restrict access using chmod. I decided to
investigate other files on my system with the immutable attribute set by running this
command as root:
# find / -type f -exec lsattr {} + 2>/dev/null > immutable-list-find.txt
This led me the directory /sys/firmware/efi/efivars/ where I discovered efi variables
pertaining Microsoft's Device Firmware Configuration Interface (DFCI). Microsoft's
DFCI enables zero touch remote configuration of UEFI BIOS giving the ability to
manage BIOS settings and hardware. The DFCI allows for remote disabling or enabling
of cameras, microphones, radios, boot external media, bootstrapping an OS, cpu
virtualization, and I/O virtualization. According to Microsoft's github page, the zero
touch certificate is shared by all DFCI-enabled systems and does not need to be injected
at manufacturing.
Microsoft advertises DFCI as a defense mechanism against rootkits, however it seems that it
is being used as a UEFI bootkit. According to Microsoft DFCI is not available for Windows 10
or 11 Home Edition. My Acer Aspire 3 15 has Windows 11 Home Edition, and was purchased
as a consumer product versus a commercial. This means that not only is there a capability that
DFCI can be implemented on a consumer product, but through a Linux based operating system.
I will provide the ASCII output of each file that I found on my Kali Linux system from the
/sys/firmware/efi/efivars/ directory. I will not provide the entire hexdump output to save space.
However, I will provide more if requested after my initial posting.
File Name: DfciDeviceIdentifier-4123a1a9-6f50-4b58-9c3d-56fc24c6c89e
ASCII output:
|....<?xml versio|
|n="1.0" encoding|
|="utf-8"?><UEFID|
|eviceIdentifierP|
|acket><Identifie|
|rs><Identifier><|
|Id>Manufacturer<|
|/Id><Value>Acer<|
|/Value></Identif|
|ier><Identifier>|
|<Id>Product Name|
|</Id><Value>Aspi|
|re A315-44P</Val|
|ue></Identifier>|
|<Identifier><Id>|
|Serial Number</I|
|d><Value>NXKSJAA|
|0044050439E3400<|
|/Value></Identif|
|ier></Identifier|
|s><DfciVersion>2|
|</DfciVersion></|
|UEFIDeviceIdenti|
|fierPacket>.|
File Name: DfciIdentityCurrent-de6a8726-05df-43ce-b600-92bd5d286cfd
(NOTE: something that stood out to me is the
Zero Touch ID: 0989C5F7EA3379388F79990875B23E031A5DA554)
ASCII Output:
|....<?xml versio|
|n="1.0" encoding|
|="utf-8"?><UEFII|
|dentityCurrentPa|
|cket><Certificat|
|es><Certificate>|
|<Id>User</Id><Va|
|lue>Cert not ins|
|talled</Value></|
|Certificate><Cer|
|tificate><Id>Use|
|r1</Id><Value>Ce|
|rt not installed|
|</Value></Certif|
|icate><Certifica|
|te><Id>User2</Id|
|><Value>Cert not|
| installed</Valu|
|e></Certificate>|
|<Certificate><Id|
|>Owner</Id><Valu|
|e>Cert not insta|
|lled</Value></Ce|
|rtificate><Certi|
|ficate><Id>ZeroT|
|ouch</Id><Value>|
|0989C5F7EA337938|
|8F79990875B23E03|
|1A5DA554</Value>|
|</Certificate></|
|Certificates></U|
|EFIIdentityCurre|
|ntPacket>.|
File Name: DfciPermissionCurrent-3a9777ea-0d9f-4b65-9ef3-7caa7c41994b
ASCII Output:
|....<?xml versio|
|n="1.0" encoding|
|="utf-8"?><Curre|
|ntPermissionsPac|
|ket Default="1" |
|Delegated="128">|
|<Date>2024-01-30|
|T13:51:08</Date>|
|<Permissions><Pe|
|rmissionCurrent>|
|<Id>Dfci.OwnerKe|
|y.Enum</Id><PMas|
|k>9</PMask><DMas|
|k>128</DMask></P|
|ermissionCurrent|
|><PermissionCurr|
|ent><Id>Dfci.Ztd|
|Key.Enum</Id><PM|
|ask>1</PMask></P|
|ermissionCurrent|
|><PermissionCurr|
|ent><Id>Dfci.Ztd|
|Unenroll.Enable<|
|/Id><PMask>0</PM|
|ask></Permission|
|Current><Permiss|
|ionCurrent><Id>D|
|fci.Ztd.Recovery|
|.Enable</Id><PMa|
|sk>0</PMask></Pe|
|rmissionCurrent>|
|</Permissions><L|
|SV>0</LSV></Curr|
|entPermissionsPa|
|cket>.|
File Name: DfciSettingsCurrent-d41c8c24-3f5e-4ef4-8fdd-073e1866cd01
ASCII Output:
|....<?xml versio|
|n="1.0" encoding|
|="utf-8"?><Curre|
|ntSettingsPacket|
|><Date>2024-01-3|
|0T13:51:34</Date|
|><Settings><Sett|
|ingCurrent><Id>D|
|evice.BootOrderL|
|ock.Enable</Id><|
|Value>Disabled</|
|Value></SettingC|
|urrent><SettingC|
|urrent><Id>Devic|
|e.USBBoot.Enable|
|</Id><Value>Enab|
|led</Value></Set|
|tingCurrent><Set|
|tingCurrent><Id>|
|Dfci.BootOnboard|
|Network.Enable</|
|Id><Value>Disabl|
|ed</Value></Sett|
|ingCurrent><Sett|
|ingCurrent><Id>D|
|evice.Password.P|
|assword</Id><Val|
|ue>No System Pas|
|sword</Value></S|
|ettingCurrent><S|
|ettingCurrent><I|
|d>Dfci.RecoveryU|
|rl.String</Id><V|
|alue /></Setting|
|Current><Setting|
|Current><Id>Dfci|
|.RecoveryBootstr|
|apUrl.String</Id|
|><Value /></Sett|
|ingCurrent><Sett|
|ingCurrent><Id>D|
|fci.HttpsCert.Bi|
|nary</Id><Value |
|/></SettingCurre|
|nt><SettingCurre|
|nt><Id>Dfci.Regi|
|strationId.Strin|
|g</Id><Value /><|
|/SettingCurrent>|
|<SettingCurrent>|
|<Id>Dfci.TenantI|
|d.String</Id><Va|
|lue /></SettingC|
|urrent><SettingC|
|urrent><Id>MDM.F|
|riendlyName.Stri|
|ng</Id><Value />|
|</SettingCurrent|
|><SettingCurrent|
|><Id>MDM.TenantN|
|ame.String</Id><|
|Value /></Settin|
|gCurrent><Settin|
|gCurrent><Id>Dev|
|ice.CpuAndIoVirt|
|ualization.Enabl|
|e</Id><Value>Ena|
|bled</Value></Se|
|ttingCurrent><Se|
|ttingCurrent><Id|
|>Dfci3.OnboardWp|
|bt.Enable</Id><V|
|alue>Enabled</Va|
|lue></SettingCur|
|rent><SettingCur|
|rent><Id>Dfci3.A|
|ssetTag.String</|
|Id><Value /></Se|
|ttingCurrent><Se|
|ttingCurrent><Id|
|>Dfci.OnboardAud|
|io.Enable</Id><V|
|alue>Enabled</Va|
|lue></SettingCur|
|rent><SettingCur|
|rent><Id>Dfci.On|
|boardRadios.Enab|
|le</Id><Value>En|
|abled</Value></S|
|ettingCurrent><S|
|ettingCurrent><I|
|d>Device.IRCamer|
|a.Enable</Id><Va|
|lue>Disabled</Va|
|lue></SettingCur|
|rent><SettingCur|
|rent><Id>Device.|
|FrontCamera.Enab|
|le</Id><Value>Di|
|sabled</Value></|
|SettingCurrent><|
*
|Id>Device.RearCa|
|mera.Enable</Id>|
|<Value>Disabled<|
|/Value></Setting|
|Current><Setting|
|Current><Id>Dfci|
|3.ProcessorSMT.E|
|nable</Id><Value|
|>Disabled</Value|
|></SettingCurren|
|t><SettingCurren|
|t><Id>Dfci.CpuAn|
|dIoVirtualizatio|
|n.Enable</Id><Va|
|lue>Disabled</Va|
|lue></SettingCur|
|rent><SettingCur|
|rent><Id>Dfci.Bo|
|otExternalMedia.|
|Enable</Id><Valu|
|e>Enabled</Value|
|></SettingCurren|
|t><SettingCurren|
|t><Id>Dfci.Onboa|
|rdCameras.Enable|
|</Id><Value>Unkn|
|own</Value></Set|
|tingCurrent></Se|
|ttings><LSV>0</L|
|SV></CurrentSett|
|ingsPacket>.|
File Name: UEFISettingsCurrent-d41c8c24-3f5e-4ef4-8fdd-073e1866cd01
ASCII Output:
|....<?xml versio|
|n="1.0" encoding|
|="utf-8"?><Curre|
|ntSettingsPacket|
|><Date>2024-01-3|
|0T13:51:34</Date|
|><Settings><Sett|
|ingCurrent><Id>D|
|evice.BootOrderL|
|ock.Enable</Id><|
|Value>Disabled</|
|Value></SettingC|
|urrent><SettingC|
|urrent><Id>Devic|
|e.USBBoot.Enable|
|</Id><Value>Enab|
|led</Value></Set|
|tingCurrent><Set|
|tingCurrent><Id>|
|Dfci.BootOnboard|
|Network.Enable</|
|Id><Value>Disabl|
|ed</Value></Sett|
|ingCurrent><Sett|
|ingCurrent><Id>D|
|evice.Password.P|
|assword</Id><Val|
|ue>No System Pas|
|sword</Value></S|
|ettingCurrent><S|
|ettingCurrent><I|
|d>Dfci.RecoveryU|
|rl.String</Id><V|
|alue /></Setting|
|Current><Setting|
|Current><Id>Dfci|
|.RecoveryBootstr|
|apUrl.String</Id|
|><Value /></Sett|
|ingCurrent><Sett|
|ingCurrent><Id>D|
|fci.HttpsCert.Bi|
|nary</Id><Value |
|/></SettingCurre|
|nt><SettingCurre|
|nt><Id>Dfci.Regi|
|strationId.Strin|
|g</Id><Value /><|
|/SettingCurrent>|
|<SettingCurrent>|
|<Id>Dfci.TenantI|
|d.String</Id><Va|
|lue /></SettingC|
|urrent><SettingC|
|urrent><Id>MDM.F|
|riendlyName.Stri|
|ng</Id><Value />|
|</SettingCurrent|
|><SettingCurrent|
|><Id>MDM.TenantN|
|ame.String</Id><|
|Value /></Settin|
|gCurrent><Settin|
|gCurrent><Id>Dev|
|ice.CpuAndIoVirt|
|ualization.Enabl|
|e</Id><Value>Ena|
|bled</Value></Se|
|ttingCurrent><Se|
|ttingCurrent><Id|
|>Dfci3.OnboardWp|
|bt.Enable</Id><V|
|alue>Enabled</Va|
|lue></SettingCur|
|rent><SettingCur|
|rent><Id>Dfci3.A|
|ssetTag.String</|
|Id><Value /></Se|
|ttingCurrent><Se|
|ttingCurrent><Id|
|>Dfci.OnboardAud|
|io.Enable</Id><V|
|alue>Enabled</Va|
|lue></SettingCur|
|rent><SettingCur|
|rent><Id>Dfci.On|
|boardRadios.Enab|
|le</Id><Value>En|
|abled</Value></S|
|ettingCurrent><S|
|ettingCurrent><I|
|d>Device.IRCamer|
|a.Enable</Id><Va|
|lue>Disabled</Va|
|lue></SettingCur|
|rent><SettingCur|
|rent><Id>Device.|
|FrontCamera.Enab|
|le</Id><Value>Di|
|sabled</Value></|
|SettingCurrent><|
*
|Id>Device.RearCa|
|mera.Enable</Id>|
|<Value>Disabled<|
|/Value></Setting|
|Current><Setting|
|Current><Id>Dfci|
|3.ProcessorSMT.E|
|nable</Id><Value|
|>Disabled</Value|
|></SettingCurren|
|t><SettingCurren|
|t><Id>Dfci.CpuAn|
|dIoVirtualizatio|
|n.Enable</Id><Va|
|lue>Disabled</Va|
|lue></SettingCur|
|rent><SettingCur|
|rent><Id>Dfci.Bo|
|otExternalMedia.|
|Enable</Id><Valu|
|e>Enabled</Value|
|></SettingCurren|
|t><SettingCurren|
|t><Id>Dfci.Onboa|
|rdCameras.Enable|
|</Id><Value>Unkn|
|own</Value></Set|
|tingCurrent></Se|
|ttings><LSV>0</L|
|SV></CurrentSett|
|ingsPacket>.|
I did discover loop devices on my system that I could not remove with the
losetup command. I had to manually remove them with the rm -f command from
the /dev/disks directory. Also, I ran the lsof command, which helped me discover
the type of file systems that were being used. This prompted me to use apt purge
to remove Gnome Virtual File System from my laptop.
# lsof /dev/loop*
I received this in response:
can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs
can't stat() fuse.portal file system /run/user/1000/doc
This should be enough to give others places to look to determine if they have been
infected, however I will be more than happy to provide more if needed.
Sources:
https://microsoft.github.io/mu/dyn/mu_feature_dfci/DfciPkg/Docs/Dfci_Feature/
https://learn.microsoft.com/en-us/windows/client-management/mdm/uefi-csp
Hi,
Corey's message is confused and there's no indication in it whether the
system was compromised, so that part doesn't need further discussion,
but as a moderator I don't mind someone explaining Linux's (and other
systems') exposure of the EFI variables and DFCI and what it means for
security as well as what it does not.
On Fri, May 10, 2024 at 01:19:35PM +0000, Corey Lopez wrote:
> investigate other files on my system with the immutable attribute set by running this
> command as root:
>
> # find / -type f -exec lsattr {} + 2>/dev/null > immutable-list-find.txt
>
> This led me the directory /sys/firmware/efi/efivars/ where I discovered efi variables
That's normal.
> Microsoft advertises DFCI as a defense mechanism against rootkits, however it seems that it
> is being used as a UEFI bootkit.
No reason to think so.
> I did discover loop devices on my system that I could not remove with the
> losetup command.
That's probably because they were in use. That's normal.
Alexander
On Fri, 10 May 2024 at 13:19:35 +0000, Corey Lopez wrote:
> Also, I ran the lsof command, which helped me discover
> the type of file systems that were being used. This prompted me to use apt purge
> to remove Gnome Virtual File System from my laptop.
>
> # lsof /dev/loop*
>
> I received this in response:
>
> can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs
> can't stat() fuse.portal file system /run/user/1000/doc
This is not evidence of a compromise, and is also nothing to do with
/dev/loop* specifically. You would see the same thing on a system that
is operating correctly, or when issuing other lsof commands as root that
do not involve /dev/loop*.
These are FUSE filesystems running as uid 1000, which by default are
not accessible *by root* - which might seem strange at first glance,
but is an intentional security mechanism to protect root from being
attacked by uid 1000 (see mount.fuse3(8) for details).
fuse.gvfsd-fuse is gvfs (not to be confused with gnomevfs, which is a
much older implementation of the same general concept) making various
remote and virtual filesystems such as SMB and WebDAV available to
non-GLib-based applications as a FUSE filesystem.
fuse.portal is xdg-documents-portal, part of xdg-desktop-portal, and
is used to share a subset of documents between the host system and
sandboxed apps such as Flatpak and Snap under user control, without
needing to extend a higher level of trust to those apps by sharing
entire directories.
smcv
File Name: DfciDeviceIdentifier-4123a1a9-6f50-4b58-9c3d-56fc24c6c89e
ASCII output:
<?xml version="1.0" encoding="utf-8"?>
<UEFIDeviceIdentifierPacket>
<Identifiers>
<Identifier>
<Id>Manufacturer</Id>
<Value>Acer</Value>
</Identifier>
<Identifier>
<Id>Product Name</Id>
<Value>Aspire A315-44P</Value>
</Identifier>
<Identifier>
<Id>Serial Number</Id>
<Value>NXKSJAA0044050439E3400</Value>
</Identifier>
</Identifiers>
<DfciVersion>2</DfciVersion>
</UEFIDeviceIdentifierPacket>
File Name: DfciIdentityCurrent-de6a8726-05df-43ce-b600-92bd5d286cfd
(NOTE: something that stood out to me is the
Zero Touch ID: 0989C5F7EA3379388F79990875B23E031A5DA554)
ASCII Output:
<?xml version="1.0" encoding="utf-8"?>
<UEFIIdentityCurrentPacket>
<Certificates>
<Certificate>
<Id>User</Id>
<Value>Cert not installed</Value>
</Certificate>
<Certificate>
<Id>User1</Id>
<Value>Cert not installed</Value>
</Certificate>
<Certificate>
<Id>User2</Id>
<Value>Cert not installed</Value>
</Certificate>
<Certificate>
<Id>Owner</Id>
<Value>Cert not installed</Value>
</Certificate>
<Certificate>
<Id>ZeroTouch</Id>
<Value>0989C5F7EA3379388F79990875B23E031A5DA554</Value>
</Certificate>
</Certificates>
</UEFIIdentityCurrentPacket>
File Name: DfciPermissionCurrent-3a9777ea-0d9f-4b65-9ef3-7caa7c41994b
ASCII Output:
<?xml version="1.0" encoding="utf-8"?>
<CurrentPermissionsPacket Default="1" Delegated="128">
<Date>2024-01-30T13:51:08</Date>
<Permissions>
<PermissionCurrent>
<Id>Dfci.OwnerKey.Enum</Id>
<PMask>9</PMask>
<DMask>128</DMask>
</PermissionCurrent>
<PermissionCurrent>
<Id>Dfci.ZtdKey.Enum</Id>
<PMask>1</PMask>
</PermissionCurrent>
<PermissionCurrent>
<Id>Dfci.ZtdUnenroll.Enable</Id>
<PMask>0</PMask>
</PermissionCurrent>
<PermissionCurrent>
<Id>Dfci.Ztd.Recovery.Enable</Id>
<PMask>0</PMask>
</PermissionCurrent>
</Permissions>
<LSV>0</LSV>
</CurrentPermissionsPacket>
File Name: DfciSettingsCurrent-d41c8c24-3f5e-4ef4-8fdd-073e1866cd01
ASCII Output:
<?xml version="1.0" encoding="utf-8"?>
<CurrentSettingsPacket>
<Date>2024-01-30T13:51:34</Date>
<Settings>
<SettingCurrent>
<Id>Device.BootOrderLock.Enable</Id>
<Value>Disabled</Value>
</SettingCurrent>
<SettingCurrent>
<Id>Device.USBBoot.Enable</Id>
<Value>Enabled</Value>
</SettingCurrent>
<SettingCurrent>
<Id>Dfci.BootOnboardNetwork.Enable</Id>
<Value>Disabled</Value>
</SettingCurrent>
<SettingCurrent>
<Id>Device.Password.Password</Id>
<Value>No System Password</Value>
</SettingCurrent>
<SettingCurrent>
<Id>Dfci.RecoveryUrl.String</Id>
<Value/>
</SettingCurrent>
<SettingCurrent>
<Id>Dfci.RecoveryBootstrapUrl.String</Id>
<Value/>
</SettingCurrent>
<SettingCurrent>
<Id>Dfci.HttpsCert.Binary</Id>
<Value/>
</SettingCurrent>
<SettingCurrent>
<Id>Dfci.RegistrationId.String</Id>
<Value/>
</SettingCurrent>
<SettingCurrent>
<Id>Dfci.TenantId.String</Id>
<Value/>
</SettingCurrent>
<SettingCurrent>
<Id>MDM.FriendlyName.String</Id>
<Value/>
</SettingCurrent>
<SettingCurrent>
<Id>MDM.TenantName.String</Id>
<Value/>
</SettingCurrent>
<SettingCurrent>
<Id>Device.CpuAndIoVirtualization.Enable</Id>
<Value>Enabled</Value>
</SettingCurrent>
<SettingCurrent>
<Id>Dfci3.OnboardWpbt.Enable</Id>
<Value>Enabled</Value>
</SettingCurrent>
<SettingCurrent>
<Id>Dfci3.AssetTag.String</Id>
<Value/>
</SettingCurrent>
<SettingCurrent>
<Id>Dfci.OnboardAudio.Enable</Id>
<Value>Enabled</Value>
</SettingCurrent>
<SettingCurrent>
<Id>Dfci.OnboardRadios.Enable</Id>
<Value>Enabled</Value>
</SettingCurrent>
<SettingCurrent>
<Id>Device.IRCamera.Enable</Id>
<Value>Disabled</Value>
</SettingCurrent>
<SettingCurrent>
<Id>Device.FrontCamera.Enable</Id>
<Value>Disabled</Value>
</SettingCurrent>
<SettingCurrent>
<Id>Device.RearCamera.Enable</Id>
<Value>Disabled</Value>
</SettingCurrent>
<SettingCurrent>
<Id>Dfci3.ProcessorSMT.Enable</Id>
<Value>Disabled</Value>
</SettingCurrent>
<SettingCurrent>
<Id>Dfci.CpuAndIoVirtualization.Enable</Id>
<Value>Disabled</Value>
</SettingCurrent>
<SettingCurrent>
<Id>Dfci.BootExternalMedia.Enable</Id>
<Value>Enabled</Value>
</SettingCurrent>
<SettingCurrent>
<Id>Dfci.OnboardCameras.Enable</Id>
<Value>Unknown</Value>
</SettingCurrent>
</Settings>
<LSV>0</LSV>
</CurrentSettingsPacket>
File Name: UEFISettingsCurrent-d41c8c24-3f5e-4ef4-8fdd-073e1866cd01
ASCII Output:
<?xml version="1.0" encoding="utf-8"?>
<CurrentSettingsPacket>
<Date>2024-01-30T13:51:34</Date>
<Settings>
<SettingCurrent>
<Id>Device.BootOrderLock.Enable</Id>
<Value>Disabled</Value>
</SettingCurrent>
<SettingCurrent>
<Id>Device.USBBoot.Enable</Id>
<Value>Enabled</Value>
</SettingCurrent>
<SettingCurrent>
<Id>Dfci.BootOnboardNetwork.Enable</Id>
<Value>Disabled</Value>
</SettingCurrent>
<SettingCurrent>
<Id>Device.Password.Password</Id>
<Value>No System Password</Value>
</SettingCurrent>
<SettingCurrent>
<Id>Dfci.RecoveryUrl.String</Id>
<Value/>
</SettingCurrent>
<SettingCurrent>
<Id>Dfci.RecoveryBootstrapUrl.String</Id>
<Value/>
</SettingCurrent>
<SettingCurrent>
<Id>Dfci.HttpsCert.Binary</Id>
<Value/>
</SettingCurrent>
<SettingCurrent>
<Id>Dfci.RegistrationId.String</Id>
<Value/>
</SettingCurrent>
<SettingCurrent>
<Id>Dfci.TenantId.String</Id>
<Value/>
</SettingCurrent>
<SettingCurrent>
<Id>MDM.FriendlyName.String</Id>
<Value/>
</SettingCurrent>
<SettingCurrent>
<Id>MDM.TenantName.String</Id>
<Value/>
</SettingCurrent>
<SettingCurrent>
<Id>Device.CpuAndIoVirtualization.Enable</Id>
<Value>Enabled</Value>
</SettingCurrent>
<SettingCurrent>
<Id>Dfci3.OnboardWpbt.Enable</Id>
<Value>Enabled</Value>
</SettingCurrent>
<SettingCurrent>
<Id>Dfci3.AssetTag.String</Id>
<Value/>
</SettingCurrent>
<SettingCurrent>
<Id>Dfci.OnboardAudio.Enable</Id>
<Value>Enabled</Value>
</SettingCurrent>
<SettingCurrent>
<Id>Dfci.OnboardRadios.Enable</Id>
<Value>Enabled</Value>
</SettingCurrent>
<SettingCurrent>
<Id>Device.IRCamera.Enable</Id>
<Value>Disabled</Value>
</SettingCurrent>
<SettingCurrent>
<Id>Device.FrontCamera.Enable</Id>
<Value>Disabled</Value>
</SettingCurrent>
<SettingCurrent>
<Id>Device.RearCamera.Enable</Id>
<Value>Disabled</Value>
</SettingCurrent>
<SettingCurrent>
<Id>Dfci3.ProcessorSMT.Enable</Id>
<Value>Disabled</Value>
</SettingCurrent>
<SettingCurrent>
<Id>Dfci.CpuAndIoVirtualization.Enable</Id>
<Value>Disabled</Value>
</SettingCurrent>
<SettingCurrent>
<Id>Dfci.BootExternalMedia.Enable</Id>
<Value>Enabled</Value>
</SettingCurrent>
<SettingCurrent>
<Id>Dfci.OnboardCameras.Enable</Id>
<Value>Unknown</Value>
</SettingCurrent>
</Settings>
<LSV>0</LSV>
</CurrentSettingsPacket>
Solar Designer wrote:
> Hi,
>
> Corey's message is confused and there's no indication in it whether the
> system was compromised, so that part doesn't need further discussion,
> but as a moderator I don't mind someone explaining Linux's (and other
> systems') exposure of the EFI variables and DFCI and what it means for
> security as well as what it does not.
>
While he is definitely somewhat confused, he claims at the start to have
detected a compromise, but does not give details about the indications
that led him to that conclusion.
As far as I can tell from a quick perusal, (landing at
<URL:https://microsoft.github.io/mu/dyn/mu_feature_dfci/DfciPkg/Docs/Scenarios/DfciScenarios/>)
it seems that DFCI "Zero Touch" is actually tightly bound to Microsoft
cloud services, and there is supposed to be a local option to remove the
zero touch certificate (thus disabling it more-or-less permanently) if
DFCI is not in use on the machine. The example implies that the UEFI
configuration tool ("BIOS setup") should provide this option.
-- Jacob