mirror of https://git.proxmox.com/git/fwupd synced 2025-08-05 05:02:22 +00:00

History

Richard Hughes eddaed0c11 Allow specifying more than one VendorID for a device Asking the user for the UID mapping isn't working very well, as it requires lots of manual handholding. It also doesn't work very well when the device vendor does not actually have a PCI ID or if the vendor has split into two entities. Just use the OUI address as an additional VendorID and match any of the device IDs against any of the metadata-supplied values.		2021-01-04 22:30:20 +00:00
..
fuzzing	uefi-dbx: Add a plugin that analyses the UEFI dbx variable	2020-05-07 16:59:36 +01:00
create-fuzzing-targets.py	uefi-dbx: Add a plugin that analyses the UEFI dbx variable	2020-05-07 16:59:36 +01:00
dbxtool.h2m	Install the new dbx utility as fwupdbxtool	2020-08-18 17:34:26 +01:00
fu-dbxtool.c	Mark more user-visible strings as translatable	2020-11-29 07:09:31 +00:00
fu-efi-image.c	uefi-dbx: Validate the dbx update is safe to apply	2020-08-17 15:59:02 +01:00
fu-efi-image.h	uefi-dbx: Validate the dbx update is safe to apply	2020-08-17 15:59:02 +01:00
fu-efi-signature-common.c	uefi-dbx: Validate the dbx update is safe to apply	2020-08-17 15:59:02 +01:00
fu-efi-signature-common.h	uefi-dbx: Validate the dbx update is safe to apply	2020-08-17 15:59:02 +01:00
fu-efi-signature-list.c	dbxtool: List the checksums correctly for multiple EFI_SIGNATURE_LISTs	2020-08-13 21:19:10 +01:00
fu-efi-signature-list.h	dbxtool: List the checksums correctly for multiple EFI_SIGNATURE_LISTs	2020-08-13 21:19:10 +01:00
fu-efi-signature-parser.c	uefi-dbx: Fix a trivial buffer over-read when fuzzing	2020-12-08 20:50:55 +00:00
fu-efi-signature-parser.h	dbxtool: List the checksums correctly for multiple EFI_SIGNATURE_LISTs	2020-08-13 21:19:10 +01:00
fu-efi-signature.c	uefi-dbx: Allow updating the dbx using the LVFS	2020-08-14 13:22:53 +01:00
fu-efi-signature.h	uefi-dbx: Allow updating the dbx using the LVFS	2020-08-14 13:22:53 +01:00
fu-fuzzer.c	dbxtool: List the checksums correctly for multiple EFI_SIGNATURE_LISTs	2020-08-13 21:19:10 +01:00
fu-plugin-uefi-dbx.c	Include the amount of NVRAM size in use in the LVFS failure report	2020-10-27 13:58:40 +00:00
fu-self-test.c	Install the installed tests	2020-08-28 10:10:43 -05:00
fu-uefi-dbx-common.c	uefi-dbx: Do not upload a failure report for a failed dbx check	2020-09-29 13:15:50 +01:00
fu-uefi-dbx-common.h	Remove support for UEFI dbx security attribute	2020-08-19 07:38:51 +01:00
fu-uefi-dbx-device.c	Allow specifying more than one VendorID for a device	2021-01-04 22:30:20 +00:00
fu-uefi-dbx-device.h	uefi-dbx: Allow updating the dbx using the LVFS	2020-08-14 13:22:53 +01:00
meson.build	Use honggfuzz to fuzz firmware rather than AFL	2020-12-11 09:37:42 +00:00
README.md	Add external interface messages	2020-10-26 12:05:20 -05:00

README.md

UEFI dbx Support

Introduction

Updating the UEFI revocation database prevents starting EFI binaries with known security issues, and is typically no longer done from a firmware update due to the risk of the machine being "bricked" if the bootloader is not updated first.

This plugin also checks if the UEFI dbx contains all the most recent revoked checksums. The result will be stored in an security attribute for HSI.

Firmware Format

The daemon will decompress the cabinet archive and extract a firmware blob in EFI_SIGNATURE_LIST format.

See https://www.uefi.org/sites/default/files/resources/UEFI%20Spec%202_6.pdf for details.

This plugin supports the following protocol ID:

org.uefi.dbx

GUID Generation

These devices use the GUID constructed of the uppercase SHA256 of the X509 certificates found in the system KEK and optionally the EFI architecture. e.g.

UEFI\CRT_{sha256}
UEFI\CRT_{sha256}&ARCH_{arch}

...where arch is typically one of IA32, X64, ARM or AA64

Vendor ID Security

The vendor ID is hardcoded to UEFI:Microsoft for all devices.

External interface access

This plugin requires:

read/write access to /sys/firmware/efi/efivars