search

Mattiwatti / EfiGuard

Disable PatchGuard and Driver Signature Enforcement at boot time
GNU General Public License v3.0
1.78k stars 337 forks source link

Clarifying questions about installation: Temporary/reversible? Security vulnerabilities? #47

Closed e-t-l closed 2 years ago

e-t-l commented 2 years ago
  1. As the title alludes, if I use EfiGuard from USB to boot Windows, are the patches applied permanently? The description of the patching process makes it sound like yes, but the part about the USB stick sounds like the USB might have to be plugged in every time I boot. Is that correct, or am I misinterpreting it?
  2. Once I boot the loader (using the default settings), what exactly does that change? Does that just install EfiDSEFix.exe and make it available to run, or does it automatically change something about Windows (e.g. disable some security aspect)
  3. I understand that executing EfiDSEFix.exe -d disables DSE; does this require reboot?
  4. Can I later re-enable DSE?
  5. What are the main security vulnerabilities of doing this patch and disabling DSE?
  6. Do the patches persist across Windows OS updates/upgrades?

I know these are a lot of questions, and I appreciate your help!)

Mattiwatti commented 2 years ago

Hi, sorry for the delay in response. I've been a bit overwhelmed with work recently.

  1. If I use EfiGuard from USB to boot Windows, are the patches applied permanently?

No, only temporarily. (Q: How temporary? A: For the duration of the boot.)

(...) but the part about the USB stick sounds like the USB might have to be plugged in every time I boot. Is that correct, or am I misinterpreting it?

Yes, when using a USB stick that is correct. If you want something more permanent, or a USB stick is not available/convenient for some other reason, there are instructions on how to install EfiGuard on the EFI System Partition here.

  1. Once I boot the loader (using the default settings), what exactly does that change? Does that just install EfiDSEFix.exe and make it available to run, or does it automatically change something about Windows (e.g. disable some security aspect)

Booting the loader using the default settings will do two things:

  1. Disable PatchGuard (this is non-optional).
  2. Hook an EFI runtime service so that it can be used to disable DSE at runtime (more details in the architecture section and diagram in the README).

To clarify, EfiDSEFix.exe cannot be 'installed' by the loader, the driver or itself. It is a simple standalone executable that can be used to enable/disable DSE using the hook mentioned in (2).

  1. I understand that executing EfiDSEFix.exe -d disables DSE; does this require reboot?

No, in fact rebooting will undo what EfiDSEFix.exe -d does.

  1. Can I later re-enable DSE?

Yes, the command for this is EfiDSEFix.exe -e.

  1. What are the main security vulnerabilities of doing this patch and disabling DSE?

I would argue that the security impact of disabling PatchGuard is effectively nil, given how unlikely it is for EfiGuard to be running on a given target system (from a malware author's POV), and the fact that the main "benefit" PatchGuard brings is a - delayed - BSOD in the case of a detected violation.

The security impact of disabling DSE is far more considerable: it means that anyone with administrative privileges will be able to load any driver, signed or not (this includes self-signed drivers).

  1. Do the patches persist across Windows OS updates/upgrades?

There is no built-in persistence of any sort in any part of EfiGuard. So the short answer to this question is no. Since a Windows update requires a reboot, EfiGuard will not (at least by itself) persist. If you meant to ask "will it keep working?" then the answer is that yes, that is the idea, but of course I can't make guarantees for future updates to Windows by Microsoft.