2

I haven't seen any seen mechanism by which UEFI can detect the most recent update to a binary from being swapped out for an older binary that was signed with the same key as the up-to-date binary. Google's vboot is the only PC firmware I know of that uses anti-downgrade counters. Does the UEFI specification specify a way to thwart rollback attacks on the boot payload(s), such as the Windows bootloader, the Windows kernel, GRUB2, and Linux kernel images?

Update: UEFI does offer authenticated variables that use incorporate a timestamp or a monotonic counter in update verification to prevent rewriting the variable to an older value, but I don't know if this is used to thwart rollback attempts on the boot payload(s).

Improve this question

    1 Answer 1

    Reset to default
    1

    UEFI of what ?

    Generally, there was no such specification initially.

    The latest UEFI specs can be found here.

    Some manufacturers use something called "Secure Rollback Prevention”. If enabled, it prevents any downgrade.

    For example, Lenovo Thinkserver series implemented this in order to prevent people using security-flawed versions. For specific models, the BIOS cannot be downgraded to a level lower than the version listed once the BIOS is at that level or higher.

    You will have to see if your UEFI has such a feature, but note that even if there is one, it may be bypass-able.

    Since something like this is possible, a forced downgrade even with an option to protect against it may be trivial to accomplish.

    Improve this answer
    1
    • Not the firmware. The bootloaders on the EFI system partition.
      – Melab
      CommentedJul 19, 2020 at 15:37

    You must log in to answer this question.

    Start asking to get answers

    Find the answer to your question by asking.

    Ask question

    Explore related questions

    See similar questions with these tags.