Secure Boot Bypass Risk Threatens Nearly 200,000 Linux Framework Laptops (bleepingcomputer.com)
(Tuesday October 14, 2025 @11:30PM (BeauHD)
from the PSA dept.)
- Reference: 0179788992
- News link: https://it.slashdot.org/story/25/10/14/2123205/secure-boot-bypass-risk-threatens-nearly-200000-linux-framework-laptops
- Source link: https://www.bleepingcomputer.com/news/security/secure-boot-bypass-risk-on-nearly-200-000-linux-framework-sytems/
Roughly 200,000 Linux-based Framework laptops shipped with a signed UEFI shell command (mm) that [1]can be abused to bypass Secure Boot protections -- allowing attackers to load persistent bootkits like BlackLotus or HybridPetya. Framework has begun patching affected models, though some fixes and DBX updates are still pending. BleepingComputer reports:
> According to firmware security company [2]Eclypsium , the problem stems from including a 'memory modify' (mm) command in legitimately signed UEFI shells that Framework shipped with its systems. The command provides direct read/write access to system memory and is intended for low-level diagnostics and firmware debugging. However, it can also be leveraged to break the Secure Boot trust chain by targeting the gSecurity2 variable, a critical component in the process of verifying the signatures of UEFI modules.
>
> The mm command can be abused to overwrite gSecurity2 with NULL, effectively disabling signature verification. "This command writes zeros to the memory location containing the security handler pointer, effectively disabling signature verification for all subsequent module loads." The researchers also note that the attack can be automated via startup scripts to persist across reboots.
[1] https://www.bleepingcomputer.com/news/security/secure-boot-bypass-risk-on-nearly-200-000-linux-framework-sytems/
[2] https://eclypsium.com/blog/bombshell-the-signed-backdoor-hiding-in-plain-sight-on-framework-devices/
> According to firmware security company [2]Eclypsium , the problem stems from including a 'memory modify' (mm) command in legitimately signed UEFI shells that Framework shipped with its systems. The command provides direct read/write access to system memory and is intended for low-level diagnostics and firmware debugging. However, it can also be leveraged to break the Secure Boot trust chain by targeting the gSecurity2 variable, a critical component in the process of verifying the signatures of UEFI modules.
>
> The mm command can be abused to overwrite gSecurity2 with NULL, effectively disabling signature verification. "This command writes zeros to the memory location containing the security handler pointer, effectively disabling signature verification for all subsequent module loads." The researchers also note that the attack can be automated via startup scripts to persist across reboots.
[1] https://www.bleepingcomputer.com/news/security/secure-boot-bypass-risk-on-nearly-200-000-linux-framework-sytems/
[2] https://eclypsium.com/blog/bombshell-the-signed-backdoor-hiding-in-plain-sight-on-framework-devices/
That's OK. (Score:3)
by TechyImmigrant ( 175943 )
It's a good thing I never enabled secure boot on my Framework laptop.
Shouldda ran Windows! (Score:1)
by Tablizer ( 95088 )
Just kidding, please don't kill me!
Re: (Score:1)
by firewrought ( 36952 )
Okay boys, you know what we have to do. Somebody hold him down while I reboot to the USB installer. Are we going Gnome or KDE this time?
No, it does not (Score:3)
by gweihir ( 88907 )
"Secure" boot is not about security for the user. It is DRM, plain and simple. And it serves so that Linux and other non-Windows OSes are harder to install, because Microsoft holds the keys.
All bets are off if you have physical access (Score:2)
If you have physical access to the laptop, then all bets are off. Here's my anecdotal evidence and recent experience getting around UEFI so that I could actually install Linux on my laptop.
First, I had to boot into Windows that came installed. Yuck.
Next, I had to partition the existing hard drive within Windows.
After partitioning, I had to format the new partition within Windows.
Once the formatting was done, I had to write to the partition a Linux media installation, as my laptop didn't come with an optical
Re: (Score:2)
What laptop is this that won't allow enabling USB boot? I want to know so I can avoid buying it or recommending it to others.
Re: (Score:2)
You don't need physical access to install a bootkit, just root access, and full disk encryption would only protect against bootkit infection via an evil maid attack. The bootkits being discussed here get install by just running on top of the full OS with root privileges.
But on the other hand, bootkits are an extremely rare form of malware, likely the rarest type, and I think creating Secure Boot in response to it was a case of whipping a curious little problem into a crisis and then never letting a crisis g
Re: (Score:2)
In newer Dell BIOS you'd have to enable Advanced BIOS settings (to the upper left in the BIOS setting screen) in order to get full BIOS control.
Then you can disable Secure Boot and set the hard drive to be AHCI instead of RAID just to make sure that you have best compatibility.