CME-111

Secure Boot (UEFI)

Harden OS/Kernel High Confidence

Description

Firmware-level verification that only signed bootloaders and kernels execute, preventing boot-level rootkits and unauthorized kernel replacement.

CVSS Vector Impacts

Metric Transition Rationale
Integrity (I) H L Cannot persist malicious bootloader or kernel modifications
Attack Complexity (AC) L H Must bypass cryptographic verification chain

CWE Relationships

CWE-345 CWE-494 CWE-269

Verification

Check UEFI Secure Boot state

$ mokutil --sb-state
# Expected: SecureBoot enabled
Platform: linux
← CME-110: KEXEC Restriction CME-112: RELRO and PIE (Full) →