Red Hat SummitChapter 24. Updating the Secure Boot Revocation List
Update the UEFI Secure Boot Revocation List to identify software with known security issues and prevent it from compromising the boot process.
24.1. The Secure Boot Revocation List
The UEFI Secure Boot Revocation List, or the Secure Boot Forbidden Signature Database (dbx), is a list that identifies software that Secure Boot no longer allows to run.
When a security issue or a stability problem is found in software that interfaces with Secure Boot, such as in the GRUB boot loader, the Revocation List stores its hash signature. Software with such a recognized signature cannot run during boot, and the system boot fails to prevent compromising the system.
For example, a certain version of GRUB might contain a security issue that allows an attacker to bypass the Secure Boot mechanism. When the issue is found, the Revocation List adds hash signatures of all GRUB versions that contain the issue. As a result, only secure GRUB versions can boot on the system.
The Revocation List requires regular updates to recognize newly found issues. When updating the Revocation List, make sure to use a safe update method that does not cause your currently installed system to no longer boot.
24.2. Applying an online Revocation List update
To prevent known security issues, you can update the Secure Boot Revocation List on your system. This procedure is safe and ensures that the update does not prevent your system from booting.
Prerequisites
- Secure Boot is enabled on your system.
- Your system is connected to internet for updates.
Procedure
Determine the current version of the Revocation List:
# *fwupdmgr get-devices*See the
Current versionfield underUEFI dbx.Enable the LVFS Revocation List repository:
# *fwupdmgr enable-remote lvfs*Refresh the repository metadata:
# *fwupdmgr refresh*Apply the Revocation List update:
On the command line:
# *fwupdmgr update*In the graphical interface:
- Open the Software application
- Navigate to the Updates tab.
- Find the Secure Boot dbx Configuration Update entry.
- Click .
-
At the end of the update,
fwupdmgror Software asks you to reboot the system. Confirm the reboot.
Verification
After the reboot, check the current version of the Revocation List again:
# *fwupdmgr get-devices*
24.3. Applying an offline Revocation List update
To prevent known security issues on a system with no internet connection, you can update the Secure Boot Revocation List from Red Hat Enterprise Linux. This procedure is safe and ensures that the update does not prevent your system from booting.
Procedure
Identify the current version of the Revocation List:
# *fwupdmgr get-devices*See the
Current versionfield underUEFI dbx.List the updates available from RHEL:
# *ls /usr/share/dbxtool/*Select the most recent update file for your architecture. The file names use the following format:
DBXUpdate-date-architecture.cabInstall the selected update file:
# fwupdmgr install /usr/share/dbxtool/DBXUpdate-date-architecture.cab-
At the end of the update,
fwupdmgrasks you to reboot the system. Confirm the reboot.
Verification
After the reboot, check the current version of the Revocation List again:
# *fwupdmgr get-devices*
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}