Critical Linux Vulnerability Allows Secure Boot Bypass via Initramfs

A significant vulnerability has been identified in several modern Linux distributions that allows attackers with short-term physical access to bypass Secure Boot protections. The attack exploits debug shells available during boot-time failures, enabling persistent malware injection that can survive reboots and remain functional even after users enter correct decryption passwords.

Key Takeaways

1. Attackers with physical access can exploit debug shells triggered during boot failures to bypass Secure Boot.

2. Repeated incorrect password entries initiate debug shell access, allowing modification of unsigned initramfs components.

3. Affected distributions include Ubuntu 25.04, Debian 12, Fedora 42, and AlmaLinux 10. OpenSUSE Tumbleweed is not affected.

4. Disabling debug shells with kernel parameters (e.g., panic=0 for Ubuntu, rd.shell=0 rd.emergency=halt for Red Hat) mitigates the risk.

Vulnerability Overview

According to security researcher Alexander Moch, the flaw centers around the Initial RAM Filesystem (initramfs), a critical part of the Linux boot process responsible for tasks such as unlocking encrypted root partitions.

Unlike kernel images and modules, the initramfs is usually not cryptographically signed, creating a weak link in the Secure Boot chain. On many distributions, multiple failed decryption attempts trigger a debug shell, granting low-level system access early in the boot process.

From this shell, an attacker can insert a USB drive containing custom tools, extract the initramfs using tools like unmkinitramfs, inject malicious scripts (e.g., into scripts/local-bottom/), and repackage it. Once injected, these malicious hooks execute after the system decrypts the root partition, remount the filesystem as read-write, and establish persistent access.

Because this attack operates within the normal boot sequence and avoids altering signed components, it evades Secure Boot protections entirely.

Distribution Behavior

Testing reveals varying levels of susceptibility:

• Ubuntu 25.04: Debug shell accessible after three incorrect password attempts.

• Debian 12: Holding the ENTER key for ~1 minute can trigger shell access.

• Fedora 42 & AlmaLinux 10: Default initramfs lacks usb_storage, but attackers can trigger reboots and use rescue modes to bypass this limitation.

• OpenSUSE Tumbleweed: Appears unaffected due to encrypted boot partitions by default.

This issue is a textbook example of an “evil maid” attack, where an adversary gains physical access to install persistent backdoors without detection.

Mitigation Strategies

To prevent exploitation, the following mitigations are recommended:

• Disable debug shells during boot failures:

  • Ubuntu-based systems: Add panic=0 to the kernel command line.

  • Red Hat-based systems: Use rd.shell=0 rd.emergency=halt.

• Enhance bootloader security:

  • Require bootloader passwords.

  • Enable SSD native encryption.

  • Encrypt boot partitions with LUKS.

• Adopt stronger architectures:

  • Use Unified Kernel Images (UKIs) to sign kernel and initramfs together.

  • Leverage Trusted Platform Modules (TPMs) to verify initramfs integrity at boot via Platform Configuration Registers (PCRs).

This vulnerability underscores the importance of securing the entire boot chain, not just the kernel. Administrators are advised to implement mitigations promptly, especially on systems that may be exposed to physical access.