Received: by 2002:ab2:6a05:0:b0:1f8:1780:a4ed with SMTP id w5csp1013710lqo;
        Sat, 11 May 2024 04:03:21 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AJvYcCUfZRwjHvyZ5FQIdDv45YB6qETSKbdGQjFCsDWs5TQ6xYja7Q8MMM5K+z60HqosvOLXhScdmSNPjJTWB1E2sLy09Xv+9gAPVdHMrFYfDg==
X-Google-Smtp-Source: AGHT+IGiPRibLRoWHztqFAtawaqkpSY8hfdk5qAekbusgUYw5NfY3s+pwO1Yo4UweSiW0EBEzbje
X-Received: by 2002:a50:9ec3:0:b0:572:47d4:8585 with SMTP id 4fb4d7f45d1cf-5734d6de09fmr3379644a12.38.1715425401524;
        Sat, 11 May 2024 04:03:21 -0700 (PDT)
Return-Path: <oss-security-return-30143-linux.lists.archive=gmail.com@lists.openwall.com>
Received: from second.openwall.net (second.openwall.net. [193.110.157.125])
        by mx.google.com with SMTP id 4fb4d7f45d1cf-5733beac560si2987605a12.80.2024.05.11.04.03.21
        for <linux.lists.archive@gmail.com>;
        Sat, 11 May 2024 04:03:21 -0700 (PDT)
Received-SPF: pass (google.com: domain of oss-security-return-30143-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@hotmail.com header.s=selector1 header.b=A1LJnlxk;
       arc=fail (signature failed);
       spf=pass (google.com: domain of oss-security-return-30143-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30143-linux.lists.archive=gmail.com@lists.openwall.com";
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hotmail.com
Received: (qmail 32392 invoked by uid 550); 11 May 2024 11:03:01 -0000
Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:oss-security@lists.openwall.com>
List-Help: <mailto:oss-security-help@lists.openwall.com>
List-Unsubscribe: <mailto:oss-security-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:oss-security-subscribe@lists.openwall.com>
List-ID: <oss-security.lists.openwall.com>
Reply-To: oss-security@lists.openwall.com
Delivered-To: mailing list oss-security@lists.openwall.com
Delivered-To: moderator for oss-security@lists.openwall.com
Received: (qmail 5308 invoked from network); 10 May 2024 13:19:48 -0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=OeJYqyNIgeXaVxpk77B9HFzy83KjpbNxkBx4ASHzzl4Y12ZXgZR5J7+bcdTwRVdoey367ps8b7qXsnHOeFbRtP5V4BauQWGukdWFenfouMhOwRJCVMLcTM2VI/KjNrgNfsGTqKgMZA09eUQ/EGPEji26g2MFTnPmxl8ZZESGaGcoJY2ip/OETuSSDPzFTilQhuP2RFPdj+ONKQdqj+8Eyb+bb7hEDpQiWrL6bc+ZURvfSdspvy7SATmMJir3/eLb06WaICXQJ/ikSD8UDXjJeKUeCbiBTctPTBO7RzQ2ModkbNFBLZGj2EkgwtbdTXEl62RreXbvz9Gv3TXWrKEBLQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=jztq/fLNN51DIQeSSRGWT+j8NiDFaYcUdzuaXfhLRY4=;
 b=Jn1poSr/BaCd+kgeK1DqJDufKdZUPHjPg6gJQFzbR2D6amrj0mS6R/3IS94tpz22NlD3qI9LOveHoqf6uFgs7GDbncHWuUs2um2yPpR90fUlxgbXjuxelUvV5iNgAsHtx26gLzcVL0RIE3LzncWP4Qt9kzbgXuRFY/ARLuI4+mp55wI89bDBmR0D3oTT1SiOn2fVeGt12g7HZpjShkA4VGSXuoXZCUnMa+gKhvSG03ur3s9XzsX/tDtHbZ251/iUmA5WTgaqj0p3ztIic8LxjRGAcpNLfkKDVKSuZZMkCISepgXUllcjhlvfDHEgHpynLVz0v6lZKKakefXAKtkYeA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
 dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=jztq/fLNN51DIQeSSRGWT+j8NiDFaYcUdzuaXfhLRY4=;
 b=A1LJnlxkYr9D4Bj6Q4n/pNx1aVCfMeI5ZqiJXRX7ugCeNL8v0SyxjP6UWtV72yublqztx8URu98m+nHVN62BT7eraMszO5AKT3NkZpIlh3GG98jeIxc5SbEMa4YBk/qfWxo+c4kP7MUFFhwwQxnpxNTzQxjph9IA2Ag3gJSevtBhIqRzHiAnsdlYo+zoBUc2bfuWdsIOcBDx9Hul1qS9mzkGIs0ZJJjZIqTlwjYqRNMt6XbwMqso3kLEihjhmN8xzDBdScs39CEvx0l2OViZNpBH2uUermNyTamNv+bh0GWeHpj04cGLTORhv+VjJvZ4YXw0tJGZOVgRDcPLq+Ha6g==
From: Corey Lopez <Corey.lopez09160587@hotmail.com>
To: "oss-security@lists.openwall.com" <oss-security@lists.openwall.com>
Thread-Topic: Microsoft Device Firmware Configuration Interface (DFCI) in
 Linux efivars directory
Thread-Index: AQHaotsJBSE+kIqJk0G2DerpSXAIRw==
Date: Fri, 10 May 2024 13:19:35 +0000
Message-ID:
 <BYAPR03MB4903AF4B05EDB627E47C9370EBE72@BYAPR03MB4903.namprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-tmn: [DMD0AtUNn3gi4nvuX3s4dBw4/kPq2yE3]
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BYAPR03MB4903:EE_|SJ0PR03MB5712:EE_
x-ms-office365-filtering-correlation-id: a2fb8201-52ef-46ab-54cc-08dc70f3d662
x-microsoft-antispam:
 BCL:0;ARA:14566002|461199019|102099023|440099019|3412199016|3420499023|3430499023|1602099003;
x-microsoft-antispam-message-info:
 mNNRQ4390RtJ6W2h4KjcdICHJ1EXmaBfmelLAv6gUmSkBUdoptDKckftMiznmiHzpq75bjCGsJejbgQ6sNi+jT/LYoz2DLPOXRhfWzAhi2RJ+17h5ROaAxRP+4KPJPT2Sfn05vgw/8AOerfUf/r19g/OpUu7UZsuKXqslxQjaCAKsrDIt2Pi1fxrTbzEkXwsCEPzL3kTtKIDXO2ypwjENkKWfB4G/K9o5rKhOW5Zct89lrAHnt1Qy2/gM2EaEdgcQwGf02DaDHNqmBajIjmH0AUkpAvdgHcxglGi3WJ7dxvC90wIZmE8MbCknMlH0TgZPotN6ORf6oUhQRoTA6C20YSdP1RCAIrFcosLM4+39HqOTJGb25oOZ3oXpH+6cHx+VmCqB0T7UHNkHRZrYn+1JoVdJKLeK7N5W1+Tpcf4cOZd4rkdx43dAP6lK2NQG8TD6MPFj9NHntl5KTU3wlrCIxFVDvXfHdh6+JQ8+rkk77DIrzGoHVkFwxBFRelt6YZ4LV8QE3iQ28pMyeJfQ/jFHPDHFs7G1/bz+n2IH2WKLvfo6yWZl0CWB+H62tmhL+PrJjGK2Dolp96p5jzJoGFnzp5dTWOUnfN6Fd6EZyDVZL/0ggn4osXB7QxOXw+ds1CBxbxF10W72hLXVhYy+tHeAWG7KSMr7ns2j9N6+WnXsDM=
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0:
 =?iso-8859-1?Q?ttrFbYPnH2LYM7lembIrTCbnbtpdN0q/A1aTOA6Ly2m/zZuV5bC3GmqLvn?=
 =?iso-8859-1?Q?UBTf2/1s+vupwO+SnRBFDR5qqJ3pDbTvg0ac06gSRSdFvFNf8U/LdUK2ub?=
 =?iso-8859-1?Q?VUfJ4NTCHnxZnR0GcL86U5aH7MvCNBLmolJzQUd+GgB6Kb9RYjSbxww8Q4?=
 =?iso-8859-1?Q?DXlV7OyCGva/i4cE/s+aeYmCsS6LfnBSBku1dthNS7O0xy/y5z0rN0TQi6?=
 =?iso-8859-1?Q?nlGFVwA0LK3TVZr2bISXipx9QrCrbUF0uKNkiiCAt3Jl2W4IFUFndEtZ+w?=
 =?iso-8859-1?Q?ZD9phoFVZJ5oMgy0Y0sOYXxqjOFndtv+wxlIZ7nkeUsiZbtpQvPdsYNatd?=
 =?iso-8859-1?Q?vuuu6j9NOc667yKYXo4iRnB4QGd13zeeu19lNEYZtf432FMjn1RT4ltoQ8?=
 =?iso-8859-1?Q?5A/Yv9nTkq1AqWlJ28k5jMuS1/lbfRDnrpau+eaCqkHnMb75WDIxqE7M5U?=
 =?iso-8859-1?Q?TirqeB2Gzkxe/M5gZWrmTl8aI/C5orAny9D1coJ1HFt55V4dlxt9NNNaNL?=
 =?iso-8859-1?Q?/7826EvoNIHUWIhaz2fP5bj0Dd5z5Lo9cKjSaxTP9PO2v5uljMGSE8SigE?=
 =?iso-8859-1?Q?e83rxlKC+HzQbH5cYsT7RtJLULVIObvklMQDybgkUslCcQ1eiE58AEkqK8?=
 =?iso-8859-1?Q?QcEUew3wadOCXHzigu15/ujrbrunIzITYMhUn2QB1ojzS91zRh0Z8pND2h?=
 =?iso-8859-1?Q?r8TYf5I1G/hG4Qx9JkZXykfySYrqrM7UCQ/hQZu8pxoF5hpf/nX/bgDDgM?=
 =?iso-8859-1?Q?H5Ocy3V1Gg+qhrJ5XME1ad7PuXWl4qtLC3AzLGv4SBUsDQ9LyvagsS6Cmv?=
 =?iso-8859-1?Q?yB+5f4UofC27uhd3HC9b+EQ0XC25nnm199KznPJVCagyRASA3aZdHksi3B?=
 =?iso-8859-1?Q?KoT/35npFRgfU6f4qGxG58ea1ASBeqvwh38aqgjys+Sfx3Fy4GCg4YF6wq?=
 =?iso-8859-1?Q?e41C61+RObrj/b9ty2ByyiXgH1yxY9tRRnaAfpSwG697+tmedAbVOwtMZ7?=
 =?iso-8859-1?Q?4u7OQWwbqgTgSGcMhEU6NWPjO92yN7uNTT7rn0xSnHrGLcpeSRbfOozEXJ?=
 =?iso-8859-1?Q?0GDX4UfD3+gaWJdOV9XTintOlpqRPLevPhx3x3yxsYuvDuhIYCOTlQVXcM?=
 =?iso-8859-1?Q?pHnZuKsSLDT8j2tGY1Qr2JH2Mcz5Tr0HPZVSnoeVi5CjDTXMdaF3uCUWNt?=
 =?iso-8859-1?Q?S0c5wtMUi6Z3iWf/s5KcKuSQJ1GFbcjw+l6lZ9zd0wBPGPMYoY+v3y1fT3?=
 =?iso-8859-1?Q?DXXHXdQD9NzO73lx6fUySxvdph7h0v5JdME0mwZrGfsm7KZTfJm6A9YHMn?=
 =?iso-8859-1?Q?flhN?=
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: sct-15-20-4755-11-msonline-outlook-685f7.templateTenant
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BYAPR03MB4903.namprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: a2fb8201-52ef-46ab-54cc-08dc70f3d662
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 May 2024 13:19:35.5659
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR03MB5712
Subject: [oss-security] Microsoft Device Firmware Configuration Interface (DFCI) in Linux
 efivars directory

I have dual boot Windows 11 Home Edition and Debian based setup on my lapto=
p.=0A=
=0A=
Distributor ID: Kali=0A=
Description:    Kali GNU/Linux Rolling=0A=
Release:        2024.1=0A=
Codename:       kali-rolling=0A=
=0A=
After realizing a security breach on my Kali system I discovered /etc/netwo=
rk/interface=0A=
had the immutable attribute set while trying to restrict access using chmod=
. I decided to=0A=
investigate other files on my system with the immutable attribute set by ru=
nning this=0A=
command as root:=0A=
=0A=
# find / -type f -exec lsattr {} + 2>/dev/null > immutable-list-find.txt=0A=
=0A=
This led me the directory /sys/firmware/efi/efivars/ where I discovered efi=
 variables=0A=
pertaining Microsoft's Device Firmware Configuration Interface (DFCI). Micr=
osoft's=0A=
DFCI enables zero touch remote configuration of UEFI BIOS giving the abilit=
y to=0A=
manage BIOS settings and hardware. The DFCI allows for remote disabling or =
enabling=0A=
of cameras, microphones, radios, boot external media, bootstrapping an OS, =
cpu=0A=
virtualization, and I/O virtualization. According to Microsoft's github pag=
e, the zero=0A=
touch certificate is shared by all DFCI-enabled systems and does not need t=
o be injected=0A=
at manufacturing.=0A=
=0A=
Microsoft advertises DFCI as a defense mechanism against rootkits, however =
it seems that it=0A=
is being used as a UEFI bootkit. According to Microsoft DFCI is not availab=
le for Windows 10=0A=
or 11 Home Edition. My Acer Aspire 3 15 has Windows 11 Home Edition, and wa=
s purchased=0A=
as a consumer product versus a commercial. This means that not only is ther=
e a capability that=0A=
DFCI can be implemented on a consumer product, but through a Linux based op=
erating system.=0A=
=0A=
I will provide the ASCII output of each file that I found on my Kali Linux =
system from the=0A=
/sys/firmware/efi/efivars/ directory. I will not provide the entire hexdump=
 output to save space.=0A=
However, I will provide more if requested after my initial posting. =0A=
=0A=
File Name: DfciDeviceIdentifier-4123a1a9-6f50-4b58-9c3d-56fc24c6c89e=0A=
=0A=
ASCII output:=0A=
=0A=
|....<?xml versio|=0A=
|n=3D"1.0" encoding|=0A=
|=3D"utf-8"?><UEFID|=0A=
|eviceIdentifierP|=0A=
|acket><Identifie|=0A=
|rs><Identifier><|=0A=
|Id>Manufacturer<|=0A=
|/Id><Value>Acer<|=0A=
|/Value></Identif|=0A=
|ier><Identifier>|=0A=
|<Id>Product Name|=0A=
|</Id><Value>Aspi|=0A=
|re A315-44P</Val|=0A=
|ue></Identifier>|=0A=
|<Identifier><Id>|=0A=
|Serial Number</I|=0A=
|d><Value>NXKSJAA|=0A=
|0044050439E3400<|=0A=
|/Value></Identif|=0A=
|ier></Identifier|=0A=
|s><DfciVersion>2|=0A=
|</DfciVersion></|=0A=
|UEFIDeviceIdenti|=0A=
|fierPacket>.|=0A=
=0A=
File Name: DfciIdentityCurrent-de6a8726-05df-43ce-b600-92bd5d286cfd=0A=
=0A=
(NOTE: something that stood out to me is the =0A=
Zero Touch ID: 0989C5F7EA3379388F79990875B23E031A5DA554)=0A=
=0A=
ASCII Output:=0A=
=0A=
|....<?xml versio|=0A=
|n=3D"1.0" encoding|=0A=
|=3D"utf-8"?><UEFII|=0A=
|dentityCurrentPa|=0A=
|cket><Certificat|=0A=
|es><Certificate>|=0A=
|<Id>User</Id><Va|=0A=
|lue>Cert not ins|=0A=
|talled</Value></|=0A=
|Certificate><Cer|=0A=
|tificate><Id>Use|=0A=
|r1</Id><Value>Ce|=0A=
|rt not installed|=0A=
|</Value></Certif|=0A=
|icate><Certifica|=0A=
|te><Id>User2</Id|=0A=
|><Value>Cert not|=0A=
| installed</Valu|=0A=
|e></Certificate>|=0A=
|<Certificate><Id|=0A=
|>Owner</Id><Valu|=0A=
|e>Cert not insta|=0A=
|lled</Value></Ce|=0A=
|rtificate><Certi|=0A=
|ficate><Id>ZeroT|=0A=
|ouch</Id><Value>|=0A=
|0989C5F7EA337938|=0A=
|8F79990875B23E03|=0A=
|1A5DA554</Value>|=0A=
|</Certificate></|=0A=
|Certificates></U|=0A=
|EFIIdentityCurre|=0A=
|ntPacket>.|=0A=
=0A=
File Name: DfciPermissionCurrent-3a9777ea-0d9f-4b65-9ef3-7caa7c41994b=0A=
=0A=
ASCII Output:=0A=
=0A=
|....<?xml versio|=0A=
|n=3D"1.0" encoding|=0A=
|=3D"utf-8"?><Curre|=0A=
|ntPermissionsPac|=0A=
|ket Default=3D"1" |=0A=
|Delegated=3D"128">|=0A=
|<Date>2024-01-30|=0A=
|T13:51:08</Date>|=0A=
|<Permissions><Pe|=0A=
|rmissionCurrent>|=0A=
|<Id>Dfci.OwnerKe|=0A=
|y.Enum</Id><PMas|=0A=
|k>9</PMask><DMas|=0A=
|k>128</DMask></P|=0A=
|ermissionCurrent|=0A=
|><PermissionCurr|=0A=
|ent><Id>Dfci.Ztd|=0A=
|Key.Enum</Id><PM|=0A=
|ask>1</PMask></P|=0A=
|ermissionCurrent|=0A=
|><PermissionCurr|=0A=
|ent><Id>Dfci.Ztd|=0A=
|Unenroll.Enable<|=0A=
|/Id><PMask>0</PM|=0A=
|ask></Permission|=0A=
|Current><Permiss|=0A=
|ionCurrent><Id>D|=0A=
|fci.Ztd.Recovery|=0A=
|.Enable</Id><PMa|=0A=
|sk>0</PMask></Pe|=0A=
|rmissionCurrent>|=0A=
|</Permissions><L|=0A=
|SV>0</LSV></Curr|=0A=
|entPermissionsPa|=0A=
|cket>.|=0A=
=0A=
File Name: DfciSettingsCurrent-d41c8c24-3f5e-4ef4-8fdd-073e1866cd01=0A=
=0A=
ASCII Output:=0A=
=0A=
|....<?xml versio|=0A=
|n=3D"1.0" encoding|=0A=
|=3D"utf-8"?><Curre|=0A=
|ntSettingsPacket|=0A=
|><Date>2024-01-3|=0A=
|0T13:51:34</Date|=0A=
|><Settings><Sett|=0A=
|ingCurrent><Id>D|=0A=
|evice.BootOrderL|=0A=
|ock.Enable</Id><|=0A=
|Value>Disabled</|=0A=
|Value></SettingC|=0A=
|urrent><SettingC|=0A=
|urrent><Id>Devic|=0A=
|e.USBBoot.Enable|=0A=
|</Id><Value>Enab|=0A=
|led</Value></Set|=0A=
|tingCurrent><Set|=0A=
|tingCurrent><Id>|=0A=
|Dfci.BootOnboard|=0A=
|Network.Enable</|=0A=
|Id><Value>Disabl|=0A=
|ed</Value></Sett|=0A=
|ingCurrent><Sett|=0A=
|ingCurrent><Id>D|=0A=
|evice.Password.P|=0A=
|assword</Id><Val|=0A=
|ue>No System Pas|=0A=
|sword</Value></S|=0A=
|ettingCurrent><S|=0A=
|ettingCurrent><I|=0A=
|d>Dfci.RecoveryU|=0A=
|rl.String</Id><V|=0A=
|alue /></Setting|=0A=
|Current><Setting|=0A=
|Current><Id>Dfci|=0A=
|.RecoveryBootstr|=0A=
|apUrl.String</Id|=0A=
|><Value /></Sett|=0A=
|ingCurrent><Sett|=0A=
|ingCurrent><Id>D|=0A=
|fci.HttpsCert.Bi|=0A=
|nary</Id><Value |=0A=
|/></SettingCurre|=0A=
|nt><SettingCurre|=0A=
|nt><Id>Dfci.Regi|=0A=
|strationId.Strin|=0A=
|g</Id><Value /><|=0A=
|/SettingCurrent>|=0A=
|<SettingCurrent>|=0A=
|<Id>Dfci.TenantI|=0A=
|d.String</Id><Va|=0A=
|lue /></SettingC|=0A=
|urrent><SettingC|=0A=
|urrent><Id>MDM.F|=0A=
|riendlyName.Stri|=0A=
|ng</Id><Value />|=0A=
|</SettingCurrent|=0A=
|><SettingCurrent|=0A=
|><Id>MDM.TenantN|=0A=
|ame.String</Id><|=0A=
|Value /></Settin|=0A=
|gCurrent><Settin|=0A=
|gCurrent><Id>Dev|=0A=
|ice.CpuAndIoVirt|=0A=
|ualization.Enabl|=0A=
|e</Id><Value>Ena|=0A=
|bled</Value></Se|=0A=
|ttingCurrent><Se|=0A=
|ttingCurrent><Id|=0A=
|>Dfci3.OnboardWp|=0A=
|bt.Enable</Id><V|=0A=
|alue>Enabled</Va|=0A=
|lue></SettingCur|=0A=
|rent><SettingCur|=0A=
|rent><Id>Dfci3.A|=0A=
|ssetTag.String</|=0A=
|Id><Value /></Se|=0A=
|ttingCurrent><Se|=0A=
|ttingCurrent><Id|=0A=
|>Dfci.OnboardAud|=0A=
|io.Enable</Id><V|=0A=
|alue>Enabled</Va|=0A=
|lue></SettingCur|=0A=
|rent><SettingCur|=0A=
|rent><Id>Dfci.On|=0A=
|boardRadios.Enab|=0A=
|le</Id><Value>En|=0A=
|abled</Value></S|=0A=
|ettingCurrent><S|=0A=
|ettingCurrent><I|=0A=
|d>Device.IRCamer|=0A=
|a.Enable</Id><Va|=0A=
|lue>Disabled</Va|=0A=
|lue></SettingCur|=0A=
|rent><SettingCur|=0A=
|rent><Id>Device.|=0A=
|FrontCamera.Enab|=0A=
|le</Id><Value>Di|=0A=
|sabled</Value></|=0A=
|SettingCurrent><|=0A=
*=0A=
|Id>Device.RearCa|=0A=
|mera.Enable</Id>|=0A=
|<Value>Disabled<|=0A=
|/Value></Setting|=0A=
|Current><Setting|=0A=
|Current><Id>Dfci|=0A=
|3.ProcessorSMT.E|=0A=
|nable</Id><Value|=0A=
|>Disabled</Value|=0A=
|></SettingCurren|=0A=
|t><SettingCurren|=0A=
|t><Id>Dfci.CpuAn|=0A=
|dIoVirtualizatio|=0A=
|n.Enable</Id><Va|=0A=
|lue>Disabled</Va|=0A=
|lue></SettingCur|=0A=
|rent><SettingCur|=0A=
|rent><Id>Dfci.Bo|=0A=
|otExternalMedia.|=0A=
|Enable</Id><Valu|=0A=
|e>Enabled</Value|=0A=
|></SettingCurren|=0A=
|t><SettingCurren|=0A=
|t><Id>Dfci.Onboa|=0A=
|rdCameras.Enable|=0A=
|</Id><Value>Unkn|=0A=
|own</Value></Set|=0A=
|tingCurrent></Se|=0A=
|ttings><LSV>0</L|=0A=
|SV></CurrentSett|=0A=
|ingsPacket>.|=0A=
=0A=
File Name: UEFISettingsCurrent-d41c8c24-3f5e-4ef4-8fdd-073e1866cd01=0A=
=0A=
ASCII Output:=0A=
=0A=
|....<?xml versio|=0A=
|n=3D"1.0" encoding|=0A=
|=3D"utf-8"?><Curre|=0A=
|ntSettingsPacket|=0A=
|><Date>2024-01-3|=0A=
|0T13:51:34</Date|=0A=
|><Settings><Sett|=0A=
|ingCurrent><Id>D|=0A=
|evice.BootOrderL|=0A=
|ock.Enable</Id><|=0A=
|Value>Disabled</|=0A=
|Value></SettingC|=0A=
|urrent><SettingC|=0A=
|urrent><Id>Devic|=0A=
|e.USBBoot.Enable|=0A=
|</Id><Value>Enab|=0A=
|led</Value></Set|=0A=
|tingCurrent><Set|=0A=
|tingCurrent><Id>|=0A=
|Dfci.BootOnboard|=0A=
|Network.Enable</|=0A=
|Id><Value>Disabl|=0A=
|ed</Value></Sett|=0A=
|ingCurrent><Sett|=0A=
|ingCurrent><Id>D|=0A=
|evice.Password.P|=0A=
|assword</Id><Val|=0A=
|ue>No System Pas|=0A=
|sword</Value></S|=0A=
|ettingCurrent><S|=0A=
|ettingCurrent><I|=0A=
|d>Dfci.RecoveryU|=0A=
|rl.String</Id><V|=0A=
|alue /></Setting|=0A=
|Current><Setting|=0A=
|Current><Id>Dfci|=0A=
|.RecoveryBootstr|=0A=
|apUrl.String</Id|=0A=
|><Value /></Sett|=0A=
|ingCurrent><Sett|=0A=
|ingCurrent><Id>D|=0A=
|fci.HttpsCert.Bi|=0A=
|nary</Id><Value |=0A=
|/></SettingCurre|=0A=
|nt><SettingCurre|=0A=
|nt><Id>Dfci.Regi|=0A=
|strationId.Strin|=0A=
|g</Id><Value /><|=0A=
|/SettingCurrent>|=0A=
|<SettingCurrent>|=0A=
|<Id>Dfci.TenantI|=0A=
|d.String</Id><Va|=0A=
|lue /></SettingC|=0A=
|urrent><SettingC|=0A=
|urrent><Id>MDM.F|=0A=
|riendlyName.Stri|=0A=
|ng</Id><Value />|=0A=
|</SettingCurrent|=0A=
|><SettingCurrent|=0A=
|><Id>MDM.TenantN|=0A=
|ame.String</Id><|=0A=
|Value /></Settin|=0A=
|gCurrent><Settin|=0A=
|gCurrent><Id>Dev|=0A=
|ice.CpuAndIoVirt|=0A=
|ualization.Enabl|=0A=
|e</Id><Value>Ena|=0A=
|bled</Value></Se|=0A=
|ttingCurrent><Se|=0A=
|ttingCurrent><Id|=0A=
|>Dfci3.OnboardWp|=0A=
|bt.Enable</Id><V|=0A=
|alue>Enabled</Va|=0A=
|lue></SettingCur|=0A=
|rent><SettingCur|=0A=
|rent><Id>Dfci3.A|=0A=
|ssetTag.String</|=0A=
|Id><Value /></Se|=0A=
|ttingCurrent><Se|=0A=
|ttingCurrent><Id|=0A=
|>Dfci.OnboardAud|=0A=
|io.Enable</Id><V|=0A=
|alue>Enabled</Va|=0A=
|lue></SettingCur|=0A=
|rent><SettingCur|=0A=
|rent><Id>Dfci.On|=0A=
|boardRadios.Enab|=0A=
|le</Id><Value>En|=0A=
|abled</Value></S|=0A=
|ettingCurrent><S|=0A=
|ettingCurrent><I|=0A=
|d>Device.IRCamer|=0A=
|a.Enable</Id><Va|=0A=
|lue>Disabled</Va|=0A=
|lue></SettingCur|=0A=
|rent><SettingCur|=0A=
|rent><Id>Device.|=0A=
|FrontCamera.Enab|=0A=
|le</Id><Value>Di|=0A=
|sabled</Value></|=0A=
|SettingCurrent><|=0A=
*=0A=
|Id>Device.RearCa|=0A=
|mera.Enable</Id>|=0A=
|<Value>Disabled<|=0A=
|/Value></Setting|=0A=
|Current><Setting|=0A=
|Current><Id>Dfci|=0A=
|3.ProcessorSMT.E|=0A=
|nable</Id><Value|=0A=
|>Disabled</Value|=0A=
|></SettingCurren|=0A=
|t><SettingCurren|=0A=
|t><Id>Dfci.CpuAn|=0A=
|dIoVirtualizatio|=0A=
|n.Enable</Id><Va|=0A=
|lue>Disabled</Va|=0A=
|lue></SettingCur|=0A=
|rent><SettingCur|=0A=
|rent><Id>Dfci.Bo|=0A=
|otExternalMedia.|=0A=
|Enable</Id><Valu|=0A=
|e>Enabled</Value|=0A=
|></SettingCurren|=0A=
|t><SettingCurren|=0A=
|t><Id>Dfci.Onboa|=0A=
|rdCameras.Enable|=0A=
|</Id><Value>Unkn|=0A=
|own</Value></Set|=0A=
|tingCurrent></Se|=0A=
|ttings><LSV>0</L|=0A=
|SV></CurrentSett|=0A=
|ingsPacket>.|=0A=
=0A=
I did discover loop devices on my system that I could not remove with the =
=0A=
losetup command. I had to manually remove them with the rm -f command from =
=0A=
the /dev/disks directory. Also, I ran the lsof command, which helped me dis=
cover =0A=
the type of file systems that were being used. This prompted me to use apt =
purge =0A=
to remove Gnome Virtual File System from my laptop. =0A=
=0A=
# lsof /dev/loop*=0A=
=0A=
I received this in response:=0A=
=0A=
can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs=0A=
can't stat() fuse.portal file system /run/user/1000/doc=0A=
=0A=
This should be enough to give others places to look to determine if they ha=
ve been=0A=
infected, however I will be more than happy to provide more if needed. =0A=
=0A=
Sources:=0A=
=0A=
https://microsoft.github.io/mu/dyn/mu_feature_dfci/DfciPkg/Docs/Dfci_Featur=
e/=0A=
https://learn.microsoft.com/en-us/windows/client-management/mdm/uefi-csp=