proxmox-mirrors/fwupd
1
0
Fork 0
mirror of https://git.proxmox.com/git/fwupd synced 2026-03-28 09:59:03 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
e6dea87cb0
fwupd/plugins/uefi-dbx
History
Richard Hughes c4ca8e25d1 Use honggfuzz to fuzz firmware rather than AFL 
This has better multi-core performance and can run in persistent mode -- which
allows us to construct a test harness of all the parsers (which takes time) and
then just reuse the process for lots of different data.
2020-12-11 09:37:42 +00:00
..
fuzzing uefi-dbx: Add a plugin that analyses the UEFI dbx variable 2020-05-07 16:59:36 +01:00
create-fuzzing-targets.py uefi-dbx: Add a plugin that analyses the UEFI dbx variable 2020-05-07 16:59:36 +01:00
dbxtool.h2m Install the new dbx utility as fwupdbxtool 2020-08-18 17:34:26 +01:00
fu-dbxtool.c Mark more user-visible strings as translatable 2020-11-29 07:09:31 +00:00
fu-efi-image.c uefi-dbx: Validate the dbx update is safe to apply 2020-08-17 15:59:02 +01:00
fu-efi-image.h uefi-dbx: Validate the dbx update is safe to apply 2020-08-17 15:59:02 +01:00
fu-efi-signature-common.c uefi-dbx: Validate the dbx update is safe to apply 2020-08-17 15:59:02 +01:00
fu-efi-signature-common.h uefi-dbx: Validate the dbx update is safe to apply 2020-08-17 15:59:02 +01:00
fu-efi-signature-list.c dbxtool: List the checksums correctly for multiple EFI_SIGNATURE_LISTs 2020-08-13 21:19:10 +01:00
fu-efi-signature-list.h dbxtool: List the checksums correctly for multiple EFI_SIGNATURE_LISTs 2020-08-13 21:19:10 +01:00
fu-efi-signature-parser.c uefi-dbx: Fix a trivial buffer over-read when fuzzing 2020-12-08 20:50:55 +00:00
fu-efi-signature-parser.h dbxtool: List the checksums correctly for multiple EFI_SIGNATURE_LISTs 2020-08-13 21:19:10 +01:00
fu-efi-signature.c uefi-dbx: Allow updating the dbx using the LVFS 2020-08-14 13:22:53 +01:00
fu-efi-signature.h uefi-dbx: Allow updating the dbx using the LVFS 2020-08-14 13:22:53 +01:00
fu-fuzzer.c dbxtool: List the checksums correctly for multiple EFI_SIGNATURE_LISTs 2020-08-13 21:19:10 +01:00
fu-plugin-uefi-dbx.c Include the amount of NVRAM size in use in the LVFS failure report 2020-10-27 13:58:40 +00:00
fu-self-test.c Install the installed tests 2020-08-28 10:10:43 -05:00
fu-uefi-dbx-common.c uefi-dbx: Do not upload a failure report for a failed dbx check 2020-09-29 13:15:50 +01:00
fu-uefi-dbx-common.h Remove support for UEFI dbx security attribute 2020-08-19 07:38:51 +01:00
fu-uefi-dbx-device.c trivial: Set FWUPD_STATUS_DECOMPRESSING when preparing firmware 2020-09-08 14:18:46 +01:00
fu-uefi-dbx-device.h uefi-dbx: Allow updating the dbx using the LVFS 2020-08-14 13:22:53 +01:00
meson.build Use honggfuzz to fuzz firmware rather than AFL 2020-12-11 09:37:42 +00:00
README.md Add external interface messages 2020-10-26 12:05:20 -05:00

README.md

UEFI dbx Support

Introduction

Updating the UEFI revocation database prevents starting EFI binaries with known security issues, and is typically no longer done from a firmware update due to the risk of the machine being "bricked" if the bootloader is not updated first.

This plugin also checks if the UEFI dbx contains all the most recent revoked checksums. The result will be stored in an security attribute for HSI.

Firmware Format

The daemon will decompress the cabinet archive and extract a firmware blob in EFI_SIGNATURE_LIST format.

See https://www.uefi.org/sites/default/files/resources/UEFI%20Spec%202_6.pdf for details.

This plugin supports the following protocol ID:

  • org.uefi.dbx

GUID Generation

These devices use the GUID constructed of the uppercase SHA256 of the X509 certificates found in the system KEK and optionally the EFI architecture. e.g.

  • UEFI\CRT_{sha256}
  • UEFI\CRT_{sha256}&ARCH_{arch}

...where arch is typically one of IA32, X64, ARM or AA64

Vendor ID Security

The vendor ID is hardcoded to UEFI:Microsoft for all devices.

External interface access

This plugin requires:

  • read/write access to /sys/firmware/efi/efivars