proxmox-mirrors/fwupd
1
0
Fork 0
mirror of https://git.proxmox.com/git/fwupd synced 2025-05-09 15:53:00 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
52441f28a4
fwupd/plugins/uefi-dbx
History
Richard Hughes 1981c63d58 Remove FuFirmwareImage and just use FuFirmware instead 
This allows us to 'nest' firmware formats, and removes a ton of duplication.

The aim here is to deprecate FuFirmwareImage -- it's almost always acting
as a 'child' FuFirmware instance, and even copies most of the vfuncs to allow
custom types. If I'm struggling to work out what should be a FuFirmware and
what should be a FuFirmwareImage then a plugin author has no hope.

For simple payloads we were adding bytes into an image and then the image into
a firmware. This gets really messy when most plugins are treating the FuFirmware
*as* the binary firmware file.

The GBytes saved in the FuFirmware would be considered the payload with the
aim of not using FuFirmwareImage in the single-image case.
2021-03-09 21:14:12 +00:00
..
fuzzing uefi-dbx: Add a plugin that analyses the UEFI dbx variable 2020-05-07 16:59:36 +01:00
dbxtool.h2m Install the new dbx utility as fwupdbxtool 2020-08-18 17:34:26 +01:00
fu-dbxtool.c Remove FuFirmwareImage and just use FuFirmware instead 2021-03-09 21:14:12 +00:00
fu-efi-image.c uefi-dbx: Validate the dbx update is safe to apply 2020-08-17 15:59:02 +01:00
fu-efi-image.h uefi-dbx: Validate the dbx update is safe to apply 2020-08-17 15:59:02 +01:00
fu-plugin-uefi-dbx.c Use FWUPD_COMPILATION define to indicate an in tree build 2021-01-22 14:01:25 -06:00
fu-self-test.c libfwupdplugin: Subclass FuFirmware in FuEfiSignatureList 2021-01-05 14:45:31 +00:00
fu-uefi-dbx-common.c Remove FuFirmwareImage and just use FuFirmware instead 2021-03-09 21:14:12 +00:00
fu-uefi-dbx-common.h libfwupdplugin: Subclass FuFirmware in FuEfiSignatureList 2021-01-05 14:45:31 +00:00
fu-uefi-dbx-device.c Remove FuFirmwareImage and just use FuFirmware instead 2021-03-09 21:14:12 +00:00
fu-uefi-dbx-device.h uefi-dbx: Allow updating the dbx using the LVFS 2020-08-14 13:22:53 +01:00
meson.build Move the plugin build logic to the plugins themselves 2021-02-18 14:46:20 +00:00
README.md Add a new internal flag to opt-in to GUID matching 2021-02-25 15:47:25 +00:00

README.md

UEFI dbx Support

Introduction

Updating the UEFI revocation database prevents starting EFI binaries with known security issues, and is typically no longer done from a firmware update due to the risk of the machine being "bricked" if the bootloader is not updated first.

This plugin also checks if the UEFI dbx contains all the most recent revoked checksums. The result will be stored in an security attribute for HSI.

Firmware Format

The daemon will decompress the cabinet archive and extract a firmware blob in EFI_SIGNATURE_LIST format.

See https://www.uefi.org/sites/default/files/resources/UEFI%20Spec%202_6.pdf for details.

This plugin supports the following protocol ID:

  • org.uefi.dbx

GUID Generation

These devices use the GUID constructed of the uppercase SHA256 of the X509 certificates found in the system KEK and optionally the EFI architecture. e.g.

  • UEFI\CRT_{sha256}
  • UEFI\CRT_{sha256}&ARCH_{arch}

...where arch is typically one of IA32, X64, ARM or AA64

Update Behavior

The firmware is deployed when the machine is in normal runtime mode, but it is only activated when the system is restarted.

Vendor ID Security

The vendor ID is hardcoded to UEFI:Microsoft for all devices.

External interface access

This plugin requires:

  • read/write access to /sys/firmware/efi/efivars