Unexplained changes in boot order- possible compromise?

Discussion in 'privacy problems' started by krustytheclown2, Feb 4, 2015.

  1. krustytheclown2

    krustytheclown2 Registered Member

    Nov 18, 2014
    Recently I bought a new laptop, and bought a used hard drive for it off the internet.

    With the hard drive, in order to securely wipe it, I first plugged it into an old computer and installed one linux distro over whatever was on the disk. Then I put the disk in my new laptop and installed the distro I'm currently using over the first one. I set my UEFI to boot first from USB then from the HDD, and didn't look at it again until yesterday.

    Yesterday I tried booting into a live USB that I know was burned properly because it works on other computers. It didn't boot from it straight away like it's supposed to, so I looked at the boot options and I saw that option 1 was set to "Windows Boot Manager: thebrandofmyhdd xxxxxxxxx" and 2 as "mylinuxdistro: thebrandofmyhdd xxxxxx"

    When I tried to change option 1 to USB, it wasn't even available as an option, I could only pick from the two I just mentioned. It seems that somehow the boot order and options were changed by somebody else. I've done a pretty good job (to a paranoid level) of keeping my laptop physically secure from anybody other than myself, but of course I ordered the HDD from the web and it could have been intercepted. I figured that if my wipe the disk twice, it should be safe, but the apparent persistence of a "Windows Boot Manager" on a linux-only disk is disconcerting and odd...

    Another odd thing I've noticed is that I no longer see the screen with my laptop's brand name upon bootup, it just goes straight from black into the Grub menu. I don't know what this means and I can't even remember when it started, but it isn't keeping my mind at ease....

    Does anybody know whether these are signs of a potential compromise of my UEFI, or maybe of the firmware or some persistent partition of the HDD? At this point I've lost trust in this fairly new computer but I would appreciate some insight
  2. ahriman

    ahriman Registered Member

    Sep 18, 2007
    Hi krusty,
    I don't believe you have a security problem. Probably the hard drive came from a computer with Windows and is setup to boot Windows, no matter what. My HP laptop came with Windows 8, and I had to change system settings *in Windows* before I could modify the UEFI to allow both 'USB 2.0 compatibility mode' and 'BIOS boot.'

    Check your hard drive for an EFI partition. It will be near the start of the disk, and formated as fat32.
    There is probably a Microsoft directory there. Renaming it should solve your problem.

    Simply installing Linux (in UEFI mode) on the drive won't get rid of the Microsoft boot directory, so I think that's your problem.

    Good luck!
  3. krustytheclown2

    krustytheclown2 Registered Member

    Nov 18, 2014
    Looking at my file systems, I have my main partition, /dev/sda3/boot which seems normal, and dev/sda2/boot/efi with type vfat which has 103mb allocated, of which only 350kb is being used.

    So it does indeed seem that there is a partition outside of my linux installation that won't go away regardless of reinstallations. Do you know of a way to get rid of it without having to do it by reinstalling Windows? I don't feel particularly comfortable about the presence of an opaque partition whose contents/existence I am unable to change, it's probably nothing as you said but I tend towards the paranoid side for (I think) good reason

    The thing that scared me is that originally the system had no problem booting from USB, that's how I installed linux. Things changing without my action worry me a bit
  4. ahriman

    ahriman Registered Member

    Sep 18, 2007
    UEFI setups aren't all the same, they vary with the manufacturer. Note: I am NOT an expert
    on UEFI, I am just relating what worked for me. Are you sure you installed in UEFI mode?
    On my system, I could install in BIOS mode or in UEFI mode, depending on how I booted
    the install media.

    Anyway, I think you don't want to delete your efi partition, /dev/sda2/boot/efi.
    You would need to reinstall Linux then, assuming you did the installation in UEFI mode.

    That efi partition is normal, and required for booting in UEFI mode. It was the windows folder
    on the efi partition that caused my problem. I think my Windows folder on the efi was named
    /dev/sda2/boot/efi/bootmanager. Wish I could remember. I just moved my 'bootmanager' folder
    (let's pretend that was the name) to 'DELETE_THIS-bootmanager'. (The folder with the Windows
    related stuff was the culprit.)

    I completely understand your 'paranoia', but UEFI won't work without the efi partition,
    like DOS or Windows 7 wouldn't work without the boot sector. I deleted my efi partition
    ONLY because OpenBSD doesn't understand gpt type disk partitioning. You are safer
    keeping linux in UEFI mode, as that is working on your system.
    A UEFI computer can boot in both BIOS and UEFI mode, so there wouldn't be a problem
    booting from USB. If you hit your 'select BOOT media' key at boot, you will probably see the
    two options there, at least I did, on my system.

    In my case, I wanted to run OpenBSD on the computer, but first I tried Ubuntu in
    UEFI mode (with the efi partition still there--I was nervous about what would happen.)
    That worked for me, and I think this is probably your situation at the moment. I also
    had problems with Windows 8 boot coming up, and not working because there was
    no Windows to boot. I backed up the EFI partition, just in case, and noted its size, etc,
    so I could re-create it again if anything went wrong.

    I think all you really need to do is mount the EFI partition in linux, and rename that
    windows folder on the efi partition. Your linux boot folder will still be there, and should work.
    But you can just reinstall the Linux boot files to the efi partition using your install CD/USB
    if the boot does get messed up. (You must boot the linux CD/USB in UEFI mode if you need to
    reinstall the UEFI bootloader.) I think it is fine as you aren't changing the partition table,
    just renaming a directory which is no longer needed.

    I found lots of good information on linux and EFI/UEFI on the Ubuntu forums, BTW. More
    information than I could handle is at:
    He talks about UEFI in detail on some of his pages. UEFI seems to be a bit of a mess right now.
    A real 'wild west' out there. Very confusing, at least to me!
    Last edited: Feb 5, 2015