mirror of
https://git.proxmox.com/git/fwupd
synced 2025-05-22 10:51:01 +00:00
48 lines
1.3 KiB
Markdown
48 lines
1.3 KiB
Markdown
UEFI dbx Support
|
|
================
|
|
|
|
Introduction
|
|
------------
|
|
|
|
Updating the UEFI revocation database prevents starting EFI binaries with known
|
|
security issues, and is typically no longer done from a firmware update due to
|
|
the risk of the machine being "bricked" if the bootloader is not updated first.
|
|
|
|
This plugin also checks if the UEFI dbx contains all the most recent revoked
|
|
checksums. The result will be stored in an security attribute for HSI.
|
|
|
|
Firmware Format
|
|
---------------
|
|
|
|
The daemon will decompress the cabinet archive and extract a firmware blob in
|
|
EFI_SIGNATURE_LIST format.
|
|
|
|
See https://www.uefi.org/sites/default/files/resources/UEFI%20Spec%202_6.pdf
|
|
for details.
|
|
|
|
This plugin supports the following protocol ID:
|
|
|
|
* org.uefi.dbx
|
|
|
|
GUID Generation
|
|
---------------
|
|
|
|
These devices use the GUID constructed of the uppercase SHA256 of the X509
|
|
certificates found in the system KEK and optionally the EFI architecture. e.g.
|
|
|
|
* `UEFI\CRT_{sha256}`
|
|
* `UEFI\CRT_{sha256}&ARCH_{arch}`
|
|
|
|
...where `arch` is typically one of `IA32`, `X64`, `ARM` or `AA64`
|
|
|
|
Vendor ID Security
|
|
------------------
|
|
|
|
The vendor ID is hardcoded to `UEFI:Microsoft` for all devices.
|
|
|
|
|
|
External interface access
|
|
-------------------------
|
|
This plugin requires:
|
|
* read/write access to `/sys/firmware/efi/efivars`
|