“`html
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), collaborating with the National Security Agency (NSA), has announced fresh advice encouraging businesses to verify and control UEFI Secure Boot settings to combat bootkit risks.
Unveiled in December 2025 as a Cybersecurity Information Sheet (CSI), this document concentrates on vulnerabilities such as PKFail, BlackLotus, and BootHole that can evade boot-time safeguards. Organizations that overlook these verifications encounter increased threats from permanent firmware malware.
Initiated in 2006, UEFI Secure Boot imposes boot policies utilizing certificates and hashes within four variables: Platform Key (PK), Key Exchange Key (KEK), allowed database (DB), and revocation database (DBX).
This mechanism blocks unsigned boot binaries, mitigating supply chain threats amid the transition from expiring Microsoft certificates of 2011 to those from 2023. While default configurations on the majority of devices obstruct unknown malware, misconfigurations—often originating from test keys or deactivated modes—can compromise systems.
Highlighted Vulnerabilities
PKFail pertains to devices distributed with untrustworthy test certificates, permitting Secure Boot circumventions. BlackLotus (CVE-2023-24932) took advantage of bootloader vulnerabilities to disable enforcement, despite indicators suggesting it was active.
BootHole vulnerabilities in GRUB permitted arbitrary execution through malformed configurations, overwhelming DBX memory on older devices. These events emphasize the importance of regular audits beyond reliance on TPM or BitLocker.
Administrators should first verify enforcement: Windows users execute Confirm-SecureBootUEFI in PowerShell (True indicates it is active); Linux users employ sudo mokutil –sb-state.
Export variables using Get-SecureBootUEFI or efi-readvar, then evaluate with NSA’s GitHub tools for certificates/hashes. Anticipated setups incorporate system vendor PK/KEK, Microsoft 2011/2023 CAs in the DB, and DBX hashes devoid of test keys or lenient modes.
| Component | Expected Configuration | Improper Indicators |
|---|---|---|
| PK | System vendor certificate | Absent or test keys |
| KEK | Vendor + Microsoft 2011/2023 | Missing Microsoft KEKs |
| DB | Microsoft CAs + vendor | Empty or misplaced certs |
| DBX | Revocation hashes | Boot hashes or duplicates |
Restore through UEFI configuration to factory defaults or implement firmware/OS updates that include capsules. For enterprises, incorporate verifications into procurement testing and SCRM operations.
NSA recommends personalization over deactivation for stricter controls, utilizing tools from GitHub. The guidance underscores comprehensive audit modes and avoiding the Compatibility Support Module (CSM).
This CSI empowers IT teams to maintain boot integrity amidst evolving threats. Download the comprehensive PDF from official channels for commands and illustrations.
“`