The present disclosure relates to operating systems, and more specifically, to operating system boot file security.
In Unified Extensible Firmware Interface (UEFI)-based secure boot system, one can use a GRand Unified Bootloader (Grub) command such as pesign, sbsign, or linuxefi to protect Linux kernel image or files in Portable Executable (PE) format. For example, if secure boot is enabled, the Grub command linuxefi will verify the digital signature of kernel image in PE format before loading it. One significant limitation is secure boot only works for files in PE format. Non-PE format files such as initramfs (in the example of a Linux operating system), the Grub.cfg file is vulnerable from tampering by attackers. If these non-PE files are compromised, serious security problems may arise even when secure boot is enabled on the system.