UEFI Secure Boot: Revocation of shim binaries older than version 15.4
The revocation mechanism
The Unified Extensible Firmware Interface (UEFI) Forum provides Revocation List files that you can use to update the Secure Boot Forbidden Signature Database (dbx). This database contains the signatures of revoked binaries and certificates which must not be used if Secure Boot is enabled. The operating system usually performs the dbx update, or sometimes it is part of the firmware update.
shim is a first-stage boot loader that embeds a self-signed Certificate Authority (CA) certificate. Microsoft signs shim binaries, which ensures that they can be booted on all machines with a pre-loaded Microsoft certificate. shim uses the embedded certificate to verify the signature of the GRUB 2 boot loader. shim also provides a protocol that GRUB 2 uses to verify the kernel signature.
Boot loader binaries revoked due to a vulnerability
The recent GRUB 2 vulnerability requires all shim binaries that allow to boot the vulnerable GRUB 2 binaries to be revoked. This prevents an attacker from downgrading GRUB 2 to a vulnerable version. In the case of RHEL, these are shim binaries provided by shim packages older than version 15.4. The UEFI Revocation List files, which contain the signatures of all of these shim binaries, were released on April 29, 2021. However, all operating system and hardware vendors are currently instructed not to update the dbx database automatically.
The solution on RHEL
Red Hat will distribute shim 15.4 or later as soon as possible for all supported releases of RHEL. Although Red Hat follows the instruction not to update the dbx database automatically, it has no control over the actions of other vendors. If the dbx update occurs before shim 15.4 or later is installed, it can cause the firmware to prevent a supported release of RHEL from booting.
The solution is to enroll the signature of the current shim binary in the Authorized Signature Database (db). The binary is located on the EFI System Partition in the /EFI/redhat/ directory. The name of the binary depends on the machine architecture and UEFI implementation:
| Architecture | UEFI implementation | shim binary |
|---|---|---|
64-bit AMD and Intel (x86_64) |
64-bit 32-bit |
/EFI/redhat/shimx64.efi /EFI/redhat/shimia32.efi |
64-bit ARM (aarch64) |
64-bit | /EFI/redhat/shimaa64.efi |
In most cases, you can enroll the signature in the firmware settings. However, the procedure could differ from vendor to vendor. For details, see the documentation of your machine.
Comments