The National Security Agency has released a UEFI Secure Boot Customization Cybersecurity Technical Report that provides detailed recommendations for customizing Secure Boot to better protect against firmware exploitation – a means attackers can use to gain persistent access to victim networks.
Secure Boot customization enables administrators to realize the benefits of boot malware defenses, insider threat mitigations, and data-at-rest protections. This product encourages National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) system administrators to customize Secure Boot instead of disabling it for compatibility issues.
This product follows NSA’s 30 July advisory release on the GRUB BootHole vulnerability and is published as part of NSA’s mission to help secure NSS, DoD, and DIB systems.
The full product can be viewed here.