Preventing BIOS rootkit on Ubuntu Linux

Solution 1:

Be careful with installing software from unknown sources.

You might get more security ideas by looking at this project :

https://en.wikipedia.org/wiki/Qubes_OS

That project is developed by security experts.
The idea is to isolate work, home, play etc.

You can use this isolation idea yourself already by using Virtualbox, KVM, Qemu client guest install for "play", therefore having some isolation from your real important things.

Do you have rkhunter installed? It is a rootkit detection program. You can install it and run

sudo dpkg-reconfigure rkhunter

to adjust the settings to your taste. You can also install the chkrootkit package, but chkrootkit might give you more false alarms (Depending on which other programs you will install, or have running. Which is okay if can find out what is causing the false alarm).

http://packages.ubuntu.com/search?keywords=rkhunter

https://en.wikipedia.org/wiki/Rkhunter

Furthermore you can also install Lynis to perform a security check on your computer.

https://en.wikipedia.org/wiki/Lynis

Solution 2:

Afaik there has been no observation of BIOS rootkit malware in the wild so far, only other rootkit types. So in that aspect your question sounds pretty hypothetical at this point but I'm going to indulge you anyway.

All the things you're listing as examples are general security advices against all types of malware.

If you're looking for defences specifically against malware in the BIOS then your best option is Secure Boot which helps to prevent the injection of unsigned boot loaders and kernel modules into the boot process. This assumes that the BIOS rootkit managed to place itself into the system firmware but not to disable or circumvent Secure Boot. This situation may happen if the malware comes in form of a UEFI module that doesn't modify the behaviour of the core UEFI firmware.

Other than that, don't run untrustworthy software in a trusted environment – especially not as super-user or in the kernel – and don't give untrustworthy people physical access to your machine, lest the trusted environment is tainted to become untrustworthy itself.

Solution 3:

Nope, you've covered all the bases already.

Provided you understand and follow basic security protocols (as you've discussed in your post) and prevent unauthorized people from using your machine, there isn't much else you can do to prevent rootkits or similar.

The most common entry point on a well-maintained and sanely designed system would be through the use of zero-day or disclosed-but-not-yet-fixed exploits, but these are mostly unavoidable.

The one further piece of advice which may be of use is to avoid creating an unnecessary surface for attack. If you don't need something installed, get rid of it to prevent it from being used against you. Same goes for PPAs and similar. Plus, it helps clean up your machine and make it easier to administer.

Otherwise, install and use rkhunter and similar defensive strategies, and just keep doing what you're normally doing. Linux's permission isolation is inherently safe, so unless you're doing something to violate that (like running everything you can with sudo), arbitrarily running executables, using unknown/untrusted PPAs, you should be fine.

As for avoiding BIOS rootkits specifically, check if your BIOS has a "signature verification" mode or similar. Such a mode will prevent your BIOS from updating unless it detects a valid cryptographic signature, which is usually only present on legitimate updates from your manufacturer.