Red Hat SummitChapter 22. Updating the Secure Boot Revocation List
You can update the UEFI Secure Boot Revocation List on your system so that Secure Boot identifies software with known security issues and prevents it from compromising your boot process.
22.1. The Secure Boot Revocation List
The UEFI Secure Boot Revocation List, or the Secure Boot Forbidden Signature Database (dbx), is a list that identifies software that Secure Boot no longer allows to run.
When a security issue or a stability problem is found in software that interfaces with Secure Boot, such as in the GRUB boot loader, the Revocation List stores its hash signature. Software with such a recognized signature cannot run during boot, and the system boot fails to prevent compromising the system.
For example, a certain version of GRUB might contain a security issue that allows an attacker to bypass the Secure Boot mechanism. When the issue is found, the Revocation List adds hash signatures of all GRUB versions that contain the issue. As a result, only secure GRUB versions can boot on the system.
The Revocation List requires regular updates to recognize newly found issues. When updating the Revocation List, make sure to use a safe update method that does not cause your currently installed system to no longer boot.
22.2. Applying an online Revocation List update
You can update the Secure Boot Revocation List on your system so that Secure Boot prevents known security issues. This procedure is safe and ensures that the update does not prevent your system from booting.
Prerequisites
- Secure Boot is enabled on your system.
- Your system can access the internet for updates.
Procedure
Determine the current version of the Revocation List:
fwupdmgr get-devices
# fwupdmgr get-devicesCopy to Clipboard Copied! Toggle word wrap Toggle overflow See the
Current versionfield underUEFI dbx.Enable the LVFS Revocation List repository:
fwupdmgr enable-remote lvfs
# fwupdmgr enable-remote lvfsCopy to Clipboard Copied! Toggle word wrap Toggle overflow Refresh the repository metadata:
fwupdmgr refresh
# fwupdmgr refreshCopy to Clipboard Copied! Toggle word wrap Toggle overflow Apply the Revocation List update:
On the command line:
fwupdmgr update
# fwupdmgr updateCopy to Clipboard Copied! Toggle word wrap Toggle overflow In the graphical interface:
- Open the Software application
- Navigate to the Updates tab.
- Find the Secure Boot dbx Configuration Update entry.
- Click .
-
At the end of the update,
fwupdmgror Software asks you to reboot the system. Confirm the reboot.
Verification
After the reboot, check the current version of the Revocation List again:
fwupdmgr get-devices
# fwupdmgr get-devicesCopy to Clipboard Copied! Toggle word wrap Toggle overflow
22.3. Applying an offline Revocation List update
On a system with no internet connection, you can update the Secure Boot Revocation List from RHEL so that Secure Boot prevents known security issues. This procedure is safe and ensures that the update does not prevent your system from booting.
Procedure
Determine the current version of the Revocation List:
fwupdmgr get-devices
# fwupdmgr get-devicesCopy to Clipboard Copied! Toggle word wrap Toggle overflow See the
Current versionfield underUEFI dbx.List the updates available from RHEL:
ls /usr/share/dbxtool/
# ls /usr/share/dbxtool/Copy to Clipboard Copied! Toggle word wrap Toggle overflow Select the most recent update file for your architecture. The file names use the following format:
DBXUpdate-date-architecture.cab
DBXUpdate-date-architecture.cabCopy to Clipboard Copied! Toggle word wrap Toggle overflow Install the selected update file:
fwupdmgr install /usr/share/dbxtool/DBXUpdate-date-architecture.cab
# fwupdmgr install /usr/share/dbxtool/DBXUpdate-date-architecture.cabCopy to Clipboard Copied! Toggle word wrap Toggle overflow -
At the end of the update,
fwupdmgrasks you to reboot the system. Confirm the reboot.
Verification
After the reboot, check the current version of the Revocation List again:
fwupdmgr get-devices
# fwupdmgr get-devicesCopy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}