proxmox-mirrors/fwupd
1
0
Fork 0
mirror of https://git.proxmox.com/git/fwupd synced 2025-08-05 07:00:30 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
1abb32c623
fwupd/plugins/uefi-dbx
History
Richard Hughes 1abb32c623 uefi-dbx: Validate the dbx update is safe to apply 
To do this mount all ESP partitions and check all the binaries there to see if
they match any entries in the new dbx. If we applied the update when a hash
matched, we would unintentially 'brick' the users machine, as the grub and shim
binaries *have* to be updated first.

This functionality does reimplement the PE hashing functionality found in
sbsigntools and pesign. This was done for 4 main reasons:

 * There were some memory safety issues found when fuzzing random binaries
 * Executing the tools hundreds of times was a lot of overhead
 * Operating from a blob of immutable mmap'd memory is much faster
 * We only need a very small amount of functionality from both tools
2020-08-17 15:59:02 +01:00
..
fuzzing uefi-dbx: Add a plugin that analyses the UEFI dbx variable 2020-05-07 16:59:36 +01:00
tests uefi-dbx: Validate the dbx update is safe to apply 2020-08-17 15:59:02 +01:00
create-fuzzing-targets.py uefi-dbx: Add a plugin that analyses the UEFI dbx variable 2020-05-07 16:59:36 +01:00
fu-dbxtool.c uefi-dbx: Validate the dbx update is safe to apply 2020-08-17 15:59:02 +01:00
fu-efi-image.c uefi-dbx: Validate the dbx update is safe to apply 2020-08-17 15:59:02 +01:00
fu-efi-image.h uefi-dbx: Validate the dbx update is safe to apply 2020-08-17 15:59:02 +01:00
fu-efi-signature-common.c uefi-dbx: Validate the dbx update is safe to apply 2020-08-17 15:59:02 +01:00
fu-efi-signature-common.h uefi-dbx: Validate the dbx update is safe to apply 2020-08-17 15:59:02 +01:00
fu-efi-signature-list.c dbxtool: List the checksums correctly for multiple EFI_SIGNATURE_LISTs 2020-08-13 21:19:10 +01:00
fu-efi-signature-list.h dbxtool: List the checksums correctly for multiple EFI_SIGNATURE_LISTs 2020-08-13 21:19:10 +01:00
fu-efi-signature-parser.c dbxtool: List the checksums correctly for multiple EFI_SIGNATURE_LISTs 2020-08-13 21:19:10 +01:00
fu-efi-signature-parser.h dbxtool: List the checksums correctly for multiple EFI_SIGNATURE_LISTs 2020-08-13 21:19:10 +01:00
fu-efi-signature.c uefi-dbx: Allow updating the dbx using the LVFS 2020-08-14 13:22:53 +01:00
fu-efi-signature.h uefi-dbx: Allow updating the dbx using the LVFS 2020-08-14 13:22:53 +01:00
fu-fuzzer.c dbxtool: List the checksums correctly for multiple EFI_SIGNATURE_LISTs 2020-08-13 21:19:10 +01:00
fu-plugin-uefi-dbx.c uefi-dbx: Allow updating the dbx using the LVFS 2020-08-14 13:22:53 +01:00
fu-self-test.c uefi-dbx: Validate the dbx update is safe to apply 2020-08-17 15:59:02 +01:00
fu-uefi-dbx-common.c uefi-dbx: Validate the dbx update is safe to apply 2020-08-17 15:59:02 +01:00
fu-uefi-dbx-common.h uefi-dbx: Validate the dbx update is safe to apply 2020-08-17 15:59:02 +01:00
fu-uefi-dbx-device.c uefi-dbx: Validate the dbx update is safe to apply 2020-08-17 15:59:02 +01:00
fu-uefi-dbx-device.h uefi-dbx: Allow updating the dbx using the LVFS 2020-08-14 13:22:53 +01:00
meson.build uefi-dbx: Validate the dbx update is safe to apply 2020-08-17 15:59:02 +01:00
README.md uefi-dbx: Allow updating the dbx using the LVFS 2020-08-14 13:22:53 +01:00

README.md

UEFI dbx Support

Introduction

Updating the UEFI revocation database prevents starting EFI binaries with known security issues, and is typically no longer done from a firmware update due to the risk of the machine being "bricked" if the bootloader is not updated first.

This plugin also checks if the UEFI dbx contains all the most recent revoked checksums. The result will be stored in an security attribute for HSI.

Firmware Format

The daemon will decompress the cabinet archive and extract a firmware blob in EFI_SIGNATURE_LIST format.

See https://www.uefi.org/sites/default/files/resources/UEFI%20Spec%202_6.pdf for details.

This plugin supports the following protocol ID:

  • org.uefi.dbx

GUID Generation

These devices use the GUID constructed of the uppercase SHA256 of the X509 certificates found in the system KEK and optionally the EFI architecture. e.g.

  • UEFI\CRT_{sha256}
  • UEFI\CRT_{sha256}&ARCH_{arch}

...where arch is typically one of IA32, X64, ARM or AA64

Vendor ID Security

The vendor ID is hardcoded to UEFI:Microsoft for all devices.