Deploying low-level malware implants

Once an attacker manages to execute malicious code inside the SMM they could potentially inject a persistent malware implant inside the UEFI, but this depends on the platform’s configuration, as UEFI can have additional protections such as AMD’s ROM Armor, which controls access to the SPI flash memory where UEFI is stored.

However, ROM Armor is a newer feature and does not exist in most computers impacted by the vulnerability. Another feature that could prevent malware inside the UEFI is Platform Secure Boot, which establishes a cryptographic chain of trust for UEFI firmware code; but this is not present or enabled in all systems either.

Even if these features are enabled, attackers could at the least break Secure Boot, which is meant to protect the integrity of the OS boot process and only allow signed bootloaders to execute. By defeating Secure Boot, attackers can deploy a boot-level rootkit, or bootkit, that will execute before the OS kernel starts and take control over the entire system, being able to hide processes and files from any OS-level endpoint security product.