Uncategorized

DBXtool has support for Microsoft dbxupdate.bin

DBXtool[1] is a tool by Peter Jones of Red Hat. So it works with Fedora, and perhaps other versions of Linux. It is an interesting tool in that it is one of the few tools that look at the UEFI SecureBoot PKI list of blacklisted keys,  that UEFI Forum occassionally updates[2]. Last year there was the Microsoft leaks Golden Keys” story, which was overblown, watch Jeremiah’s video on Youtube from the Fall 2016 UEFI Plugfest for more details. I just noticed that DBXtool has support[3] for a dbxupdate.bin file from Microsoft, separate from the UEFI.org-hosted DBX file, related to this Microsoft Golden Keys incident.

Peter’s comment from that checkin:

Add a new dbxupdate.bin
This is the dbxupdate.bin referenced in CVE-2016-3320 and
https://support.microsoft.com/en-us/kb/3179577
It’s for their bootloaders, not ours.

[1] https://github.com/rhboot/dbxtool
https://github.com/rhboot/dbxtool/commits/master
[2] http://uefi.org/revocationlistfile
http://www.uefi.org/sites/default/files/resources/dbxupdate.zip
[3] https://github.com/rhboot/dbxtool/commit/1e9334f1287c4703e7dfb40121e00d16d109e903
https://support.microsoft.com/en-us/kb/3179577
https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2016/ms16-100
https://support.microsoft.com/en-us/help/3172729/ms16-100-description-of-the-security-update-for-secure-boot-august-9
https://firmwaresecurity.com/2016/08/18/more-on-microsoft-uefi-secure-boot-golden-key-news/
https://firmwaresecurity.com/2016/08/11/microsoft-uefi-secure-boot-key-problem/
WordPress mangles Github Gist URLs, so remove the spaces from the next URL to make it work:
https://gist.  github.com/acepace/   df34b5213f1e0fae6529eb703d947187

Some more background on UEFI SB DBX:
https://www.rodsbooks.com/efi-bootloaders/controlling-sb.html
https://habrahabr.ru/post/273497/
https://translate.google.com/translate?hl=en&sl=ru&u=https://habrahabr.ru/post/273497/&prev=search (English translation above Russian document)
https://blog.fpmurphy.com/2012/11/list-secure-boot-certificates.html
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance
https://blog.hansenpartnership.com/the-meaning-of-all-the-uefi-keys/
http://www.linuxjournal.com/content/take-control-your-pc-uefi-secure-boot
https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide/Configuring_Secure_Boot
https://www.insyde.com/press_news/blog/uefi-24-review-part-13-hash-certificates-used-secure-boot-revocation
https://lwn.net/Articles/706610/
http://wiki.osdev.org/UEFI#Secure_Boot

Besides Peter’s DBXtool, I’m not aware of many other tools that use the DBX file. There’s this PowerShell script:
Again, WordPress mangles Gist URLs, remove spaces to make this work:
https://gist. github.com/mattifestation/ 991a0bea355ec1dc19402cef1b0e3b6f

I wish I could point to a tool avaialble in each OS/distro that your firmware has the latest blacklist applied…

PS: Peter also works on the Shim. And he’s updated his canary:
https://blog.uncooperative.org/blog/2018/01/08/shim-info/
https://blog.uncooperative.org/shim-info-2018-01-08.txt.asc

Standard