{"id":22574553,"url":"https://github.com/anvilsecure/symlink-secure-boot-vm","last_synced_at":"2026-01-07T16:05:40.939Z","repository":{"id":131080511,"uuid":"286606370","full_name":"anvilsecure/symlink-secure-boot-vm","owner":"anvilsecure","description":"VM demonstration various symlink and hard link attacks against secure boot. See the whitepaper at: https://www.anvilventures.com/blog/defeating-secure-boot-with-symlink-attacks.html","archived":false,"fork":false,"pushed_at":"2020-08-11T20:23:33.000Z","size":104,"stargazers_count":14,"open_issues_count":0,"forks_count":2,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-02-02T15:33:41.808Z","etag":null,"topics":["attacks","boot","hacking","secure","secureboot","security","symlinks","vms","whitepaper"],"latest_commit_sha":null,"homepage":"https://www.anvilventures.com/blog/defeating-secure-boot-with-symlink-attacks.html","language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/anvilsecure.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-08-11T00:24:21.000Z","updated_at":"2024-04-10T21:07:24.000Z","dependencies_parsed_at":null,"dependency_job_id":"42281a97-1c60-41f3-9245-1f6fcf93128d","html_url":"https://github.com/anvilsecure/symlink-secure-boot-vm","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anvilsecure%2Fsymlink-secure-boot-vm","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anvilsecure%2Fsymlink-secure-boot-vm/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anvilsecure%2Fsymlink-secure-boot-vm/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anvilsecure%2Fsymlink-secure-boot-vm/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/anvilsecure","download_url":"https://codeload.github.com/anvilsecure/symlink-secure-boot-vm/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246051129,"owners_count":20715792,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["attacks","boot","hacking","secure","secureboot","security","symlinks","vms","whitepaper"],"created_at":"2024-12-08T03:06:55.703Z","updated_at":"2026-01-07T16:05:40.885Z","avatar_url":"https://github.com/anvilsecure.png","language":"HTML","readme":"## Defeating Secure Boot with Symlink (\u0026 Hard Link) Attacks\n\nThis project is a virtual machine created to demonstrate the various attacks detailed in Anvil's [Defeating Secure Boot with Symlink and Hard Link Attacks](https://www.anvilventures.com/wp-content/uploads/2020/08/Defeating-Secure-Boot-with-Symlink-Hard-Link-Attacks.pdf) white paper.\n\nA typical Linux embedded system with secure boot cryptographically verifies the boot loader, kernel, and root file system. This can have the effect of making the root file system read only. This presents the embedded developer with a problem. Where then can an embedded developer store device-specific data such as configurations and logs between reboots? A common solution is to create an unprotected storage partition for non-volatile data (data that can be retrieved after power cycling) and mount it in a location such as /storage. Ideally, the non-volatile storage partition should be protected with cryptographic integrity checks, but from our experience, this is rarely done.\n\nThis virtual machine demonstrates how to attack systems configured with a split file system, a protected root file system, and a non-protected /storage partition.\n\n### Running\n\n1. Download the latest release.\n\n2. Install [QEMU](https://www.qemu.org) and ensure `qemu-system-x86_64` is in your path.\n\n3. Start the virtual machine\n\n   ```sh\n   \u003e cd symlink-secure-boot-vm\n   \u003e ./start-qemu.sh serial-only\n   ```\n\nThe virtual machine utilizes QEMU's user networking and forwards two ports, 8888 and 2121. The 8888 port runs a web server hosting services demonstrating the issues and can be reached at http://localhost:8888. The 2121 port is forwarded to an FTP service. Due to using QEMU's user networking to access the FTP service you need to use your interface's IP address and FTP active mode. Or modify the script to use Tap networking.\n\nBrowse to http://localhost:8888 to get started!\n\n![screenshot](screenshot.png)\n\n### Building\n\nWe used Buildroot's br2_external feature to construct the virtual machine.\n\n1. Download [Buildroot](https://buildroot.org/download.html) (we used buildroot-2020.02.3)\n2. Download/clone source.\n3. Build using Buildroot's external  \n\n```sh\n\u003e cd buildroot\n\u003e make BR2_EXTERNAL=../symlink-secure-boot-vm anvil_symlink-qemu_defconfig\n\u003e make\n\u003e ./output/images/start-qemu.sh serial-only\n```\n\n### About\n\nAll rights reserved. Copyright (C) 2020 by Anvil Ventures Inc.\nFor licensing information see LICENSE.\nFor more information contact Michael Milvich \u003cmichael.milvich@anvilventures.com\u003e\n\nTo find updated source code or to contribute patches go to the following URL: https://github.com/anvilventures/symlink-secure-boot-vm","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanvilsecure%2Fsymlink-secure-boot-vm","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fanvilsecure%2Fsymlink-secure-boot-vm","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanvilsecure%2Fsymlink-secure-boot-vm/lists"}