I came across a peculiar issue and wanted to share my thoughts in case someone more knowledgeable can analyze it further.
My suspicion is that this might be related to a UEFI rootkit, potentially injected through Unicode normalization. Specifically, I believe the æ character is being used during the injection process. The idea is that this character, æ, gets embedded deep within the ACPI tables, possibly as part of malicious firmware modifications. Here’s where it gets strange: When attempting to access these tables from Linux, it seems the æ character is normalized to AE (Unicode normalization), which could explain why direct access to the altered ACPI data fails or behaves unexpectedly. I can somewhat prove this behavior because when I use a SPI flasher to erase the BIOS chip completely and then re-flash the UEFI BIOS from the manufacturer’s original image, something different happens on the first boot. Initially, I get error messages about misplaced GPT partitions with invalid sector addresses, but the ACPI error involving AE does not appear yet. Then, upon the first boot, it seems like some malicious code is somehow loaded from the storage drives (which, in my case, are all infected!). After this happens, the system freezes completely. When I restart the machine, the ACPI error involving AE reappears, even if I’m booting directly from an installation media. This suggests that the malicious code persists on the drives and re-infects the system at a very low level. Additionally, I can further support this suspicion because I was hacked a little over a year ago, during which I communicated with the hackers through a chatbox running on the UEFI level. Since then, these issues have been happening consistently. I’m no expert on this, but this behavior caught my attention, and I’m wondering if there’s anyone here with expertise in firmware security, ACPI handling, or UEFI rootkits who could take a closer look. Could this be a vector for persisting malicious code in UEFI firmware or storage devices? -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-signed-hwe-5.15 in Ubuntu. https://bugs.launchpad.net/bugs/2028933 Title: ACPI BIOS Error (bug): Failure creating named object [\_SB.PCI0.XHC.RHUB.GPLD], AE_ALREADY_EXISTS (20210730/dswload2-326) Status in linux-signed-hwe-5.15 package in Ubuntu: Confirmed Bug description: At boot up after the GRUB selection, these ACPI BIOS Error (bug) appear. These errors were taken from dmesg but they report the similar error at boot up [ 0.320650] ACPI BIOS Error (bug): Failure creating named object [\_SB.PCI0.XHC.RHUB.GPLD], AE_ALREADY_EXISTS (20210730/dswload2-326) [ 0.320680] fbcon: Taking over console [ 0.320694] ACPI Error: AE_ALREADY_EXISTS, During name lookup/catalog (20210730/psobject-220) [ 0.320700] ACPI: Skipping parse of AML opcode: Method (0x0014) [ 0.320705] ACPI BIOS Error (bug): Failure creating named object [\_SB.PCI0.XHC.RHUB.TPLD], AE_ALREADY_EXISTS (20210730/dswload2-326) [ 0.320712] ACPI Error: AE_ALREADY_EXISTS, During name lookup/catalog (20210730/psobject-220) [ 0.320717] ACPI: Skipping parse of AML opcode: Method (0x0014) [ 0.320720] ACPI BIOS Error (bug): Failure creating named object [\_SB.PCI0.XHC.RHUB.GUPC], AE_ALREADY_EXISTS (20210730/dswload2-326) [ 0.320727] ACPI Error: AE_ALREADY_EXISTS, During name lookup/catalog (20210730/psobject-220) [ 0.320731] ACPI: Skipping parse of AML opcode: Method (0x0014) [ 0.320734] ACPI BIOS Error (bug): Failure creating named object [\_SB.PCI0.XHC.RHUB.TUPC], AE_ALREADY_EXISTS (20210730/dswload2-326) [ 0.320741] ACPI Error: AE_ALREADY_EXISTS, During name lookup/catalog (20210730/psobject-220) [ 0.320745] ACPI: Skipping parse of AML opcode: Method (0x0014) [ 0.320793] ACPI BIOS Error (bug): Failure creating named object [\_SB.PCI0.XHC.RHUB.HS01._UPC], AE_ALREADY_EXISTS (20210730/dswload2-326) [ 0.320801] ACPI Error: AE_ALREADY_EXISTS, During name lookup/catalog (20210730/psobject-220) [ 0.320806] ACPI: Skipping parse of AML opcode: Method (0x0014) Then at runtime random Multiple Corrected error appear at this PCIe port 1c.0-[01]----00.0 Advanced Micro Devices, Inc. [AMD/ATI] Topaz XT [Radeon R7 M260/M265 / M340/M360 / M440/M445 / 530/535 / 620/625 Mobile]1c.0-[01]----00.0 Advanced Micro Devices, Inc. [AMD/ATI] Topaz XT [Radeon R7 M260/M265 / M340/M360 / M440/M445 / 530/535 / 620/625 Mobile] Not exactly connected but similar reports of ACPI error above is related to NVIDIA. Not sure if it helps. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: linux-image-5.15.0-78-generic 5.15.0-78.85~20.04.1 ProcVersionSignature: Ubuntu 5.15.0-78.85~20.04.1-generic 5.15.99 Uname: Linux 5.15.0-78-generic x86_64 ApportVersion: 2.20.11-0ubuntu27.27 Architecture: amd64 CasperMD5CheckResult: skip CurrentDesktop: ubuntu:GNOME Date: Fri Jul 28 19:17:58 2023 InstallationDate: Installed on 2021-08-15 (712 days ago) InstallationMedia: Ubuntu 20.04.1 LTS "Focal Fossa" - Release amd64 (20200731) SourcePackage: linux-signed-hwe-5.15 UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-signed-hwe-5.15/+bug/2028933/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
