mirror of
https://git.proxmox.com/git/fwupd
synced 2025-05-28 09:39:05 +00:00
078beafb2d
It is far too easy to forget to set FWUPD_DEVICE_FLAG_NO_GUID_MATCHING for new
plugins, and without it it all works really well *until* a user has two devices
of the same type installed at the same time and then one 'disappears' for hard
to explain reasons. Typically we only need it for replug anyway!
Explicitly opt-in to this rarely-required behaviour, with the default to just
use the physical and logical IDs. Also document the update behavior for each
plugin to explain why the flag is being used.
This allows you to have two identical Unifying plugged in without one of them
being hidden from the user, at the same time allowing a HIDRAW<->USB transition
when going to and from bootloader and runtime modes.
This removes the workaround added in 99eb3f06b6.
Fixes https://github.com/fwupd/fwupd/issues/2915
54 lines
1.4 KiB
Markdown
54 lines
1.4 KiB
Markdown
UEFI dbx Support
|
|
================
|
|
|
|
Introduction
|
|
------------
|
|
|
|
Updating the UEFI revocation database prevents starting EFI binaries with known
|
|
security issues, and is typically no longer done from a firmware update due to
|
|
the risk of the machine being "bricked" if the bootloader is not updated first.
|
|
|
|
This plugin also checks if the UEFI dbx contains all the most recent revoked
|
|
checksums. The result will be stored in an security attribute for HSI.
|
|
|
|
Firmware Format
|
|
---------------
|
|
|
|
The daemon will decompress the cabinet archive and extract a firmware blob in
|
|
EFI_SIGNATURE_LIST format.
|
|
|
|
See https://www.uefi.org/sites/default/files/resources/UEFI%20Spec%202_6.pdf
|
|
for details.
|
|
|
|
This plugin supports the following protocol ID:
|
|
|
|
* org.uefi.dbx
|
|
|
|
GUID Generation
|
|
---------------
|
|
|
|
These devices use the GUID constructed of the uppercase SHA256 of the X509
|
|
certificates found in the system KEK and optionally the EFI architecture. e.g.
|
|
|
|
* `UEFI\CRT_{sha256}`
|
|
* `UEFI\CRT_{sha256}&ARCH_{arch}`
|
|
|
|
...where `arch` is typically one of `IA32`, `X64`, `ARM` or `AA64`
|
|
|
|
Update Behavior
|
|
---------------
|
|
|
|
The firmware is deployed when the machine is in normal runtime mode, but it is
|
|
only activated when the system is restarted.
|
|
|
|
Vendor ID Security
|
|
------------------
|
|
|
|
The vendor ID is hardcoded to `UEFI:Microsoft` for all devices.
|
|
|
|
|
|
External interface access
|
|
-------------------------
|
|
This plugin requires:
|
|
* read/write access to `/sys/firmware/efi/efivars`
|