proxmox-mirrors/fwupd
1
0
Fork 0
mirror of https://git.proxmox.com/git/fwupd synced 2025-05-29 04:52:15 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
f86c6add5f
fwupd/plugins/uefi-dbx
History
Richard Hughes 40cd18fa97 Allow using a per-device global percentage completion 
It's actually quite hard to build a front-end for fwupd at the moment
as you're never sure when the progress bar is going to zip back to 0%
and start all over again. Some plugins go 0..100% for write, others
go 0..100% for erase, then again for write, then *again* for verify.

By creating a helper object we can easily split up the progress of the
specific task, e.g. write_firmware().

We can encode at the plugin level "the erase takes 50% of the time, the
write takes 40% and the read takes 10%". This means we can have a
progressbar which goes up just once at a consistent speed.
2021-09-13 14:28:15 +01:00
..
fuzzing uefi-dbx: Add a plugin that analyses the UEFI dbx variable 2020-05-07 16:59:36 +01:00
dbxtool.1 Do not use help2man to build manual pages 2021-04-11 13:42:04 +01:00
fu-dbxtool.c trivial: reformat the whole tree to match new format 2021-08-24 11:18:40 -05:00
fu-efi-image.c trivial: reformat the whole tree to match new format 2021-08-24 11:18:40 -05:00
fu-efi-image.h trivial: reformat the whole tree to match new format 2021-08-24 11:18:40 -05:00
fu-plugin-uefi-dbx.c trivial: reformat the whole tree to match new format 2021-08-24 11:18:40 -05:00
fu-self-test.c trivial: reformat the whole tree to match new format 2021-08-24 11:18:40 -05:00
fu-uefi-dbx-common.c trivial: reformat the whole tree to match new format 2021-08-24 11:18:40 -05:00
fu-uefi-dbx-common.h trivial: reformat the whole tree to match new format 2021-08-24 11:18:40 -05:00
fu-uefi-dbx-device.c Allow using a per-device global percentage completion 2021-09-13 14:28:15 +01:00
fu-uefi-dbx-device.h trivial: reformat the whole tree to match new format 2021-08-24 11:18:40 -05:00
meson.build trivial: Add required dep for dbxtool 2021-06-15 11:45:16 +01:00
README.md trivial: update markdown for pre-commit style 2021-07-18 14:42:47 -05:00

README.md

UEFI dbx

Introduction

Updating the UEFI revocation database prevents starting EFI binaries with known security issues, and is typically no longer done from a firmware update due to the risk of the machine being "bricked" if the bootloader is not updated first.

This plugin also checks if the UEFI dbx contains all the most recent revoked checksums. The result will be stored in an security attribute for HSI.

Firmware Format

The daemon will decompress the cabinet archive and extract a firmware blob in EFI_SIGNATURE_LIST format.

See https://www.uefi.org/sites/default/files/resources/UEFI%20Spec%202_6.pdf for details.

This plugin supports the following protocol ID:

  • org.uefi.dbx

GUID Generation

These devices use the GUID constructed of the uppercase SHA256 of the X509 certificates found in the system KEK and optionally the EFI architecture. e.g.

  • UEFI\CRT_{sha256}
  • UEFI\CRT_{sha256}&ARCH_{arch}

...where arch is typically one of IA32, X64, ARM or AA64

Update Behavior

The firmware is deployed when the machine is in normal runtime mode, but it is only activated when the system is restarted.

Vendor ID Security

The vendor ID is hardcoded to UEFI:Microsoft for all devices.

External Interface Access

This plugin requires:

  • read/write access to /sys/firmware/efi/efivars