c4bc709359
This prevents problems when cross compiling. Using help2man is now also of limited use; if we can just tell the user to use --help we do not need to keep the manual in sync. It also allows us to drop the several other supporting files that we use when the help2man output isn't actually that useful. Fixes https://github.com/fwupd/fwupd/issues/3025 |
||
|---|---|---|
| .. | ||
| fuzzing | ||
| dbxtool.1 | ||
| fu-dbxtool.c | ||
| fu-efi-image.c | ||
| fu-efi-image.h | ||
| fu-plugin-uefi-dbx.c | ||
| fu-self-test.c | ||
| fu-uefi-dbx-common.c | ||
| fu-uefi-dbx-common.h | ||
| fu-uefi-dbx-device.c | ||
| fu-uefi-dbx-device.h | ||
| meson.build | ||
| README.md | ||
UEFI dbx Support
Introduction
Updating the UEFI revocation database prevents starting EFI binaries with known security issues, and is typically no longer done from a firmware update due to the risk of the machine being "bricked" if the bootloader is not updated first.
This plugin also checks if the UEFI dbx contains all the most recent revoked checksums. The result will be stored in an security attribute for HSI.
Firmware Format
The daemon will decompress the cabinet archive and extract a firmware blob in EFI_SIGNATURE_LIST format.
See https://www.uefi.org/sites/default/files/resources/UEFI%20Spec%202_6.pdf for details.
This plugin supports the following protocol ID:
- org.uefi.dbx
GUID Generation
These devices use the GUID constructed of the uppercase SHA256 of the X509 certificates found in the system KEK and optionally the EFI architecture. e.g.
UEFI\CRT_{sha256}UEFI\CRT_{sha256}&ARCH_{arch}
...where arch is typically one of IA32, X64, ARM or AA64
Update Behavior
The firmware is deployed when the machine is in normal runtime mode, but it is only activated when the system is restarted.
Vendor ID Security
The vendor ID is hardcoded to UEFI:Microsoft for all devices.
External interface access
This plugin requires:
- read/write access to
/sys/firmware/efi/efivars