Received: by 2002:ab2:6a05:0:b0:1f8:1780:a4ed with SMTP id w5csp1021444lqo;
        Sat, 11 May 2024 04:22:27 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AJvYcCWgPrrFpCWfclfmRY5IuaiTyg30idXwHLx1P6Dc36E7SDjuJiGtsXCiyDiDe9epF98P1tZ7Xw4zAOw1jVYZmSA+kyf1zvubNW/E9mvGYA==
X-Google-Smtp-Source: AGHT+IENvHXBSY+1e26bItHcw+1vxNxu6qqUa33G1TYURsLnf5vZdN7v0fGb0i5Hv9LFavdRivkZ
X-Received: by 2002:a50:8757:0:b0:56e:23db:3e87 with SMTP id 4fb4d7f45d1cf-5734d5be809mr3677599a12.11.1715426547789;
        Sat, 11 May 2024 04:22:27 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1715426547; cv=none;
        d=google.com; s=arc-20160816;
        b=ZU2CeMnagRHz9N49Z6fZo9NT3vDDHIGuqxrFj/Zq6u3FY7s5B+U8rI0a88OYZghvvM
         ifMxWn3iq+3ZfFIvCcb91P0Fv5UnHkUt+jdEjk2qLvPMx3gw4ewzfldzRKth+wKlOR5B
         zPvtzsGaS4swEir5zXRIrp5NxwfKbMx9yjzbQteo5YUlVxFj3YYwR0zUwXhoJX6SbSDP
         BeKrVUzjmKosiMpdrhKOR25tEMyKW20JOK04un+o47CKfCpYwqIaj3YJ3Yd8LoYH2O+1
         blq8Gb4p/PdO4vPPKjilxgsrzmYxWU07UZqZStPE0q5zkYR8t0akq2X7YOTmQWgUAmux
         OpHQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=subject:user-agent:in-reply-to:content-disposition:mime-version
         :references:message-id:cc:to:from:date:delivered-to:delivered-to
         :reply-to:list-id:list-subscribe:list-unsubscribe:list-help
         :list-post:precedence:mailing-list;
        bh=fSbMOmuI0m6VWPIX4C5+hEg3b9PueBgjBa0/S5B1jwI=;
        fh=xmUIF6PG2fQ1sGhgLHeC42zKCo5kJmVeS/S0tNs8uM0=;
        b=YUpDCpXf4rhjUPnSO3OKePzVUF/U9YNhOIHPnZcrAYzpusUZR4VbRNSfrNYQ2o5sA3
         yJb/wbCAcJzHsme6b+1MZMm8GZENHQV+NtGuPMtnYBvGNA0phbtPOEgbI2MGGIvLL7aL
         sObDP4hAYiYgrOspWKyPPBdK6t6soWPUMkqCJcb93aIMOXRkJvaQDK6POIaDz7ItUEsj
         HFk/1LcF7cW5Wh5RzjdtmulEb0S9tfICeH4cIgyO5mbC8b/rJp8+i5fycxkQPKp8oKSY
         QPz3uj+iDQg5KQhbu2xzjXC66PyZNugtTRCVrHMKI9VuTEUJaZAdRXL0CMZB7QddEbgt
         5zFg==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of oss-security-return-30144-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30144-linux.lists.archive=gmail.com@lists.openwall.com"
Return-Path: <oss-security-return-30144-linux.lists.archive=gmail.com@lists.openwall.com>
Received: from second.openwall.net (second.openwall.net. [193.110.157.125])
        by mx.google.com with SMTP id 4fb4d7f45d1cf-5733c378a0dsi3056153a12.658.2024.05.11.04.22.27
        for <linux.lists.archive@gmail.com>;
        Sat, 11 May 2024 04:22:27 -0700 (PDT)
Received-SPF: pass (google.com: domain of oss-security-return-30144-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of oss-security-return-30144-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30144-linux.lists.archive=gmail.com@lists.openwall.com"
Received: (qmail 3426 invoked by uid 550); 11 May 2024 11:22:14 -0000
Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:oss-security@lists.openwall.com>
List-Help: <mailto:oss-security-help@lists.openwall.com>
List-Unsubscribe: <mailto:oss-security-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:oss-security-subscribe@lists.openwall.com>
List-ID: <oss-security.lists.openwall.com>
Reply-To: oss-security@lists.openwall.com
Delivered-To: mailing list oss-security@lists.openwall.com
Delivered-To: moderator for oss-security@lists.openwall.com
Received: (qmail 1378 invoked from network); 11 May 2024 11:21:30 -0000
Date: Sat, 11 May 2024 13:21:23 +0200
From: Solar Designer <solar@openwall.com>
To: Corey Lopez <Corey.lopez09160587@hotmail.com>
Cc: "oss-security@lists.openwall.com" <oss-security@lists.openwall.com>
Message-ID: <20240511112123.GA2064@openwall.com>
References: <BYAPR03MB4903AF4B05EDB627E47C9370EBE72@BYAPR03MB4903.namprd03.prod.outlook.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <BYAPR03MB4903AF4B05EDB627E47C9370EBE72@BYAPR03MB4903.namprd03.prod.outlook.com>
User-Agent: Mutt/1.4.2.3i
Subject: Re: [oss-security] Microsoft Device Firmware Configuration Interface (DFCI) in Linux efivars directory

Hi,

Corey's message is confused and there's no indication in it whether the
system was compromised, so that part doesn't need further discussion,
but as a moderator I don't mind someone explaining Linux's (and other
systems') exposure of the EFI variables and DFCI and what it means for
security as well as what it does not.

On Fri, May 10, 2024 at 01:19:35PM +0000, Corey Lopez wrote:
> investigate other files on my system with the immutable attribute set by running this
> command as root:
> 
> # find / -type f -exec lsattr {} + 2>/dev/null > immutable-list-find.txt
> 
> This led me the directory /sys/firmware/efi/efivars/ where I discovered efi variables

That's normal.

> Microsoft advertises DFCI as a defense mechanism against rootkits, however it seems that it
> is being used as a UEFI bootkit.

No reason to think so.

> I did discover loop devices on my system that I could not remove with the 
> losetup command.

That's probably because they were in use.  That's normal.

Alexander