18Haz
UEFI secure boot anti-rollback
I haven't seen any seen mechanism by which UEFI can detect the most recent update to a binary from being swapped out for an older binary that was signed with the same key as the up-to-date binary. Google's vboot is the only PC firmware I know of that uses anti-downgrade counters. Does the UEFI specification specify a way to thwart rollback attacks on the boot payload(s), such as the Windows bootloader, the Windows kernel, GRUB2, and Linux kernel images?
Update: UEFI does offer authenticated variables that use incorporate a timestamp or a monotonic counter in update verification to prevent rewriting the variable to an older value, but I don't know if this is used to thwart rollback attempts on the boot payload(s).
