Hackers who are physically present can successfully get past current Linux systems' secure boot safeguards and introduce persistent malware. Making changes to the kernel will stop the system from crashing into a debug shell when the boot fails.
Secure boot, password-protected bootloaders, and fully encrypted disks won't keep hackers from physically accessing Linux.
ERNW security researcher Alexander Moch has discovered a significant flaw that affects Fedora and Ubuntu, two popular Linux distributions.
Attackers can insert malicious commands into a debug shell that appears after several boot failures, which is "a subtle but serious attack vector" that the boot security measures ignore. The Initial RAM Filesystem (initramfs), which the kernel briefly uses during boot to access drivers and other files to load the operating system, is one way they can misuse the shell.
To get past boot safeguards and introduce persistent malware into devices, attackers would only need to have temporary physical access.
According to Moch, "if an erroneous password for the encrypted root partition is typed many times, the debug shell can be successfully triggered for many common Linux variants."
The next time the victim starts up and unlocks the system, the malicious hooks that were injected by the attacker can be changed in the initramfs.
Modifying the initramfs itself is still feasible, and secure boot just verifies that the kernel image and any installed modules are signed. As a result, without changing any checked signatures, attackers can easily unpack the initramfs, insert malicious scripts, and then repack it.
The attacker would have to get a USB disk ready with the required equipment. The researcher used Fedora 42 and Ubuntu 25.04 with default settings and encrypted root volumes to show how the attack operated. Other Linux distributions also provide debug shells.
When asked for the password on Ubuntu, for instance, the attacker would hit ESC and then repeatedly press CTRL+C. It would be necessary to reject a repeated password prompt after a 30-second timeout, then hit CTRL+C six times to access a debug shell.
An attacker may use the shell to run the prepared scripts, mount an external root partition from the USB drive, and create a directory.