Red Hat SummitChapter 23. Updating the Secure Boot Revocation List
You can update the UEFI Secure Boot Revocation List on your system so that Secure Boot identifies software with known security issues and prevents it from compromising your boot process.
23.1. The Secure Boot Revocation List
The UEFI Secure Boot Revocation List (Secure Boot Forbidden Signature Database, dbx) identifies software that Secure Boot no longer allows to run. When security or stability issues are found, the list stores hash signatures to prevent compromised software from booting.
For example, a certain version of GRUB might contain a security issue that allows an attacker to bypass the Secure Boot mechanism. When the issue is found, the Revocation List adds hash signatures of all GRUB versions that contain the issue. As a result, only secure GRUB versions can boot on the system.
The Revocation List requires regular updates to recognize newly found issues. When updating the Revocation List, make sure to use a safe update method that does not cause your currently installed system to no longer boot.
23.2. Applying an online Revocation List update
Update the Secure Boot Revocation List on your system to prevent known security issues. This safe procedure ensures the update does not prevent your system from booting.
Prerequisites
- Secure Boot is enabled on your system.
- Your system can access the internet for updates.
Procedure
Determine the current version of the Revocation List:
# fwupdmgr get-devicesSee the
Current versionfield underUEFI dbx.Enable the LVFS Revocation List repository:
# fwupdmgr enable-remote lvfsRefresh the repository metadata:
# fwupdmgr refreshApply the Revocation List update:
On the command line:
# fwupdmgr updateIn the graphical interface:
- Open the Software application
- Navigate to the Updates tab.
- Find the Secure Boot dbx Configuration Update entry.
- Click .
-
At the end of the update,
fwupdmgror Software asks you to reboot the system. Confirm the reboot.
Verification
After the reboot, check the current version of the Revocation List again:
# fwupdmgr get-devices
23.3. Applying an offline Revocation List update
Update the Secure Boot Revocation List from RHEL on systems without internet access to prevent known security issues. This safe procedure ensures the update does not prevent your system from booting.
Procedure
Determine the current version of the Revocation List:
# fwupdmgr get-devicesSee the
Current versionfield underUEFI dbx.List the updates available from RHEL:
# ls /usr/share/dbxtool/Select the most recent update file for your architecture. The file names use the following format:
DBXUpdate-date-architecture.cabInstall the selected update file:
# fwupdmgr install /usr/share/dbxtool/DBXUpdate-date-architecture.cab-
At the end of the update,
fwupdmgrasks you to reboot the system. Confirm the reboot.
Verification
After the reboot, check the current version of the Revocation List again:
# fwupdmgr get-devices
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}