Red Hat SummitChapter 22. Updating the Secure Boot Revocation List
You can update the UEFI Secure Boot Revocation List on your system so that Secure Boot identifies software with known security issues and prevents it from compromising your boot process.
22.1. The Secure Boot Revocation List
The UEFI Secure Boot Revocation List, or the Secure Boot Forbidden Signature Database (dbx), is a list that identifies software that Secure Boot no longer allows to run.
When a security issue or a stability problem is found in software that interfaces with Secure Boot, such as in the GRUB boot loader, the Revocation List stores its hash signature. Software with such a recognized signature cannot run during boot, and the system boot fails to prevent compromising the system.
For example, a certain version of GRUB might contain a security issue that allows an attacker to bypass the Secure Boot mechanism. When the issue is found, the Revocation List adds hash signatures of all GRUB versions that contain the issue. As a result, only secure GRUB versions can boot on the system.
The Revocation List requires regular updates to recognize newly found issues. When updating the Revocation List, make sure to use a safe update method that does not cause your currently installed system to no longer boot.
22.2. Applying an online Revocation List update
You can update the Secure Boot Revocation List on your system so that Secure Boot prevents known security issues. This procedure is safe and ensures that the update does not prevent your system from booting.
Prerequisites
- Secure Boot is enabled on your system.
- Your system can access the internet for updates.
Procedure
Determine the current version of the Revocation List:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow fwupdmgr get-devices
# fwupdmgr get-devicesSee the
Current versionfield underUEFI dbx.Enable the LVFS Revocation List repository:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow fwupdmgr enable-remote lvfs
# fwupdmgr enable-remote lvfsRefresh the repository metadata:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow fwupdmgr refresh
# fwupdmgr refreshApply the Revocation List update:
On the command line:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow fwupdmgr update
# fwupdmgr updateIn the graphical interface:
- Open the Software application
- Navigate to the Updates tab.
- Find the Secure Boot dbx Configuration Update entry.
- Click .
-
At the end of the update,
fwupdmgror Software asks you to reboot the system. Confirm the reboot.
Verification
After the reboot, check the current version of the Revocation List again:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow fwupdmgr get-devices
# fwupdmgr get-devices
22.3. Applying an offline Revocation List update
On a system with no internet connection, you can update the Secure Boot Revocation List from RHEL so that Secure Boot prevents known security issues. This procedure is safe and ensures that the update does not prevent your system from booting.
Procedure
Determine the current version of the Revocation List:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow fwupdmgr get-devices
# fwupdmgr get-devicesSee the
Current versionfield underUEFI dbx.List the updates available from RHEL:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow ls /usr/share/dbxtool/
# ls /usr/share/dbxtool/Select the most recent update file for your architecture. The file names use the following format:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow DBXUpdate-date-architecture.cab
DBXUpdate-date-architecture.cabInstall the selected update file:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow fwupdmgr install /usr/share/dbxtool/DBXUpdate-date-architecture.cab
# fwupdmgr install /usr/share/dbxtool/DBXUpdate-date-architecture.cab-
At the end of the update,
fwupdmgrasks you to reboot the system. Confirm the reboot.
Verification
After the reboot, check the current version of the Revocation List again:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow fwupdmgr get-devices
# fwupdmgr get-devices
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}