by FeaturelessBug on 3/7/23, 1:10 AM with 1 comments
by Trouble_007 on 3/7/23, 1:24 AM
and having to defeat various memory detections built into the SPI-connected flash chip that stores it,
BlackLotus developers deploy standard binary files to the EFI system partition.
The ESP, as it’s abbreviated, is a traditional disk partition that’s much easier to access.
Unlike the flash chip, the ESP *doesn’t have protections* such as BIOS Write Enable,
BIOS Lock Enable, and SPI Protected Ranges, which make it difficult to write or modify stored data.
but without having to overcome the multilevel SPI flash defenses, such as the BWE, BLE, and PRx protection bits,
or the protections provided by hardware (like Intel Boot Guard).
Sure, UEFI Secure Boot stands in the way of UEFI bootkits,
but there are a non-negligible number of known vulnerabilities that allow bypassing this essential security mechanism.
And the worst of this is that some of them are still easily exploitable on up-to-date systems
even at the time of this writing—including the one exploited by BlackLotus.