I came across a peculiar issue and wanted to share my thoughts in case someone more knowledgeable can analyze it further.
My suspicion is that this might be related to a UEFI rootkit, potentially injected through Unicode normalization. Specifically, I believe the æ character is being used during the injection process. The idea is that this character, æ, gets embedded deep within the ACPI tables, possibly as part of malicious firmware modifications. Here’s where it gets strange: When attempting to access these tables from Linux, it seems the æ character is normalized to AE (Unicode normalization), which could explain why direct access to the altered ACPI data fails or behaves unexpectedly. I can somewhat prove this behavior because when I use a SPI flasher to erase the BIOS chip completely and then re-flash the UEFI BIOS from the manufacturer’s original image, something different happens on the first boot. Initially, I get error messages about misplaced GPT partitions with invalid sector addresses, but the ACPI error involving AE does not appear yet. Then, upon the first boot, it seems like some malicious code is somehow loaded from the storage drives (which, in my case, are all infected!). After this happens, the system freezes completely. When I restart the machine, the ACPI error involving AE reappears, even if I’m booting directly from an installation media. This suggests that the malicious code persists on the drives and re-infects the system at a very low level. Additionally, I can further support this suspicion because I was hacked a little over a year ago, during which I communicated with the hackers through a chatbox running on the UEFI level. Since then, these issues have been happening consistently. I’m no expert on this, but this behavior caught my attention, and I’m wondering if there’s anyone here with expertise in firmware security, ACPI handling, or UEFI rootkits who could take a closer look. Could this be a vector for persisting malicious code in UEFI firmware or storage devices? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2028933 Title: ACPI BIOS Error (bug): Failure creating named object [\_SB.PCI0.XHC.RHUB.GPLD], AE_ALREADY_EXISTS (20210730/dswload2-326) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-signed-hwe-5.15/+bug/2028933/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
