That is only if your device has a way to communicate with the motherboard. In Windows, there is something. In Linux, only if you install something like fwupd. If you have KDE Discover, GNOME Software or GNOME Firmware, you already have it. I don’t.
And seems like if you have shim enabled, fwupd can sign the UEFI rootkit for you. I would say that SB could prevent dumb rootkits from exploiting your system and installing themselves into your UEFI, but if someone is writing a rootkit for each and every motherboard, don’t you think they will make it smart enough to look for your key to sign itself, in absence of shim?
The answer is yes, SB could prevent a rootkit from being installed in the UEFI if the malware is dumb, but it’s still up to you to keep your key somewhere safe, maybe on the same USB / SD that you plug to boot your machine. But your computing experience is going to be awful. Threat levels have to be balanced with convenience a little. Are you going to kep your boot partition unmounted and unplugged at all times? And if you have a kernel rootkit that resides on your system that wants to install itself in your UEFI, if you don’t know you are infected, at some point the rootkit can take over your keys when you reboot your PC and your boot partition is plugged in, before you get to unmount /boot.
Let’s say that you thought about it and keep your keys on another USB, so that the keys are only available when you want to do a firmware update, because you got a notification that there are new firmware available to install, either actually true, or just a fake prompt from the malware. You are already infected, the malware is there waiting, once you plug your USB and mount it, it’s game over for your UEFI.
Lastly, this wall of defense depends on humans to take action, which is not very promising. If you know there are firmware updates, before you plug your USB with the signature keys, you have to look through the list of running processes on your machine and see what is running. I have seen cryptominers in the past (thankfully not on my systems, I was not infected in years at this point) that were named “dnsmasq” and “dhcpcd” that would install themselves in /tmp. A smart rootkit would not be named “thunder-rootkit” or “fire-malware” or “firmware-conqueror,” it would also be named something inconspicuous. So you would have to look through your list of programs running and know which ones you have installed and which ones you didn’t, and know which ones came bundled as dependencies.
Of course, you could take a note of every one of these and put it in a notepad, or a software that draws a dependency tree for you, and you would have to compare the list of running processes with your list of known processes. It could maybe even be automated to get as output the processes that are not in the list. But the constant verification process and list update is going to be a big endeavor.
And you’d have to do this check every time there is a firmware update. It can technically be doable, but humans are unreliable, they make mistakes, they may not notice all the programs, they may not memorize the exact list they have installed, or could say just one time “I always check for this and never have had a sketchy program running, it should be fine, I won’t be looking, let’s just update” and get the UEFI infected.
And that is even assuming that you can see it in
ps. I believe kernel modules don’t show themselves there, so you would probably also have to look into
lsmod / /proc/modules and /lib/modules and keep track of what gets added there.
I would say that if you are unfortunate enough to get a rootkit, you are out of luck. That’s the whole problem with rootkits, you cannot detect them and when you do, it’s already too late.
Instead of taking the steps above, if I were you, I would just improve my usual computer hygiene and only install FOSS, avoid all proprietary garbage at all costs, don’t download shady stuff and don’t click on suspicious links. I have done this for many years and I have been fine. The above lowered my chance of getting any malware, not to mention rootkits. And I have only been using ARM as my daily driver for almost a year now, I think. I used to have 2 UEFI systems with Intel and 1 BIOS system with AMD. One UEFI was running Linux, one Windows and the BIOS one also Windows. I was keeping them all on pretty constantly and using them often, but I almost never installed software on them, just updated them and that’s about it. I am not aware of having had any malware on any of these systems, and even if I hypothetically did, it never affected me and my computing experience.