this post was submitted on 07 Jul 2025
82 points (96.6% liked)

Linux

8274 readers
448 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago
MODERATORS
Ategon@programming.dev
anzo@programming.dev
dwraf_of_ignorance@programming.dev
82
New Linux Security Flaw Uses Initramfs to Inject Malware (www.omgubuntu.co.uk)
submitted 21 hours ago by cm0002@programming.dev to c/linux@programming.dev
27 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] just_another_person@lemmy.world 45 points 21 hours ago (15 children)

Attackers with physical access to a Linux system can access a debug shell simply by entering the wrong decryption password several times in a row.

Yeah, no duh. This isn't a critical security flaw unless you have the worst partition scheme on your encrypted volumes imaginable. It's not even a process flaw at that point, just "possible".

This is essentially what the Israeli government did to Android a decade ago with Pegasus: if you can get in front of the bootloader, you can compromise disks once encrypted because everything is happening in an in-memory boot process.

Same way you can hotwire cars. It's not new.

[–] fmstrat@lemmy.nowsci.com 1 points 13 hours ago* (last edited 13 hours ago) (4 children)

I'm confused.

Initramfs is unencrypted in /boot when using LUKS with RAID. It has to be, right?

The attacker uses a debug shell to modify the unencrypted boot, so the next time you boot and type your LUKS password, they can gain access.

This doesn't line up with your comment?

[–] just_another_person@lemmy.world 0 points 12 hours ago (3 children)

How are you going to boot something that's encrypted without input to unlock it?

N

[–] fmstrat@lemmy.nowsci.com 4 points 9 hours ago* (last edited 8 hours ago) (1 children)

You always "boot something that is unencrypted." You then "mount" the encrypted volumes and load the OS.

This is how people can put an SSH server (dropbear) in initramfs so they can unlock remotely.

The attack is to initramfs, not the encrypted layer.

The order'ish:

  • Boot
  • Initramfs loads, gives you the LUKS prompt
  • Initramfs decrypts/mounts OS
  • OS loads
[–] just_another_person@lemmy.world -1 points 7 hours ago (1 children)

I'm well aware. You're proving my point at mount.

[–] fmstrat@lemmy.nowsci.com 1 points 3 hours ago

But.. your original comment is just.. wrong?

This isn't a critical security flaw unless you have the worst partition scheme on your encrypted volumes imaginable.

The default LUKS partition scheme is vulnerable.

It's not even a process flaw at that point, just "possible".

There is a successful POC, it is a flaw.

you can compromise disks once encrypted because everything is happening in an in-memory boot process.

This is not just in-memory. This is modifying the unencrypted part of initramfs on disk. Powering off the machine does not remove the exploit.

load more comments (1 replies)
load more comments (1 replies)
load more comments (11 replies)