With recent Kaspersky key issue, I did a quick check to see what the latest UEFI DBX (Secure Boot revocation file) was. Appears to be last-updated in 2016!
Where can I visit the Microsoft web site (or other online resources) to determine the latest version of the Microsoft DBX file? Currently I have to look in Peter’s dbxtool sources for an URL, hoping that the Red Hat dbxtool has the latest Microsoft DBX blob:
And that Microsoft web page is dated 3016. I would expect there to be some place on microsoft.com similar to the UEFI Forum’s UEFI Recovation File page:
Both the uefi.org and microsoft.com DBX files are still dated 2016. I would expect to see a page that lists the recent Kaspersky issue alongside a 2020 date.
Or better yet, host the Microsoft DBX file alongside the UEFI.org DBX file, hosted on UEFI.org. Why does the UEFI CA host partial DBX files on the UEFI Forum site and partially on their private company web site? It doesn’t make sense to have the DBX split into two files hosted on two different sites, one pertty much hidden and not discoverable.
I wish the UEFI CA would document this process. From current UEFI documentation, it would appear that the ONLY DBX file is hosted at UEFI.org, no mention about Microsoft.com blob.
I presume Microsoft OS tools have clean integration with both web site’s DBX files, and get the latest ones from Microsoft.com when they update it. The only other OS I’m aware of which has a DBX-checking tool is Red Hat, with their dbxtool. I’m not aware of any other Linux distro that uses dbxtool.
MacOS has their own Secure Boot, and haven’t integrated their keys with the UEFI CA (Microsoft), but I don’t know how the Apple UEFI implementation handles DBX file(s) today, …or will in the supposed future date when they start integrating Secure Boot keys with rest of UEFI ecosystem.
Pretty messed up.