Chapter 20. Updating the Secure Boot Revocation List

You can update the UEFI Secure Boot Revocation List on your system so that Secure Boot identifies software with known security issues and prevents it from compromising your boot process.

20.1. Prerequisites

  • Secure Boot is enabled on your system.

20.2. What is UEFI Secure Boot

With the Unified Extensible Firmware Interface (UEFI) Secure Boot technology, you can prevent the execution of the kernel-space code that has not been signed by a trusted key. The system boot loader is signed with a cryptographic key. The database of public keys, which is contained in the firmware, authorizes the signing key. You can subsequently verify a signature in the next-stage boot loader and the kernel.

UEFI Secure Boot establishes a chain of trust from the firmware to the signed drivers and kernel modules as follows:

  • An UEFI private key signs, and a public key authenticates the shim first-stage boot loader. A certificate authority (CA) in turn signs the public key. The CA is stored in the firmware database.
  • The shim file contains the Red Hat public key Red Hat Secure Boot (CA key 1) to authenticate the GRUB boot loader and the kernel.
  • The kernel in turn contains public keys to authenticate drivers and modules.

Secure Boot is the boot path validation component of the UEFI specification. The specification defines:

  • Programming interface for cryptographically protected UEFI variables in non-volatile storage.
  • Storing the trusted X.509 root certificates in UEFI variables.
  • Validation of UEFI applications such as boot loaders and drivers.
  • Procedures to revoke known-bad certificates and application hashes.

UEFI Secure Boot helps in the detection of unauthorized changes but does not:

  • Prevent installation or removal of second-stage boot loaders.
  • Require explicit user confirmation of such changes.
  • Stop boot path manipulations. Signatures are verified during booting, not when the boot loader is installed or updated.

If the boot loader or the kernel are not signed by a system trusted key, Secure Boot prevents them from starting.

20.3. The Secure Boot Revocation List

The UEFI Secure Boot Revocation List, or the Secure Boot Forbidden Signature Database (dbx), is a list that identifies software that Secure Boot no longer allows to run.

When a security issue or a stability problem is found in software that interfaces with Secure Boot, such as in the GRUB boot loader, the Revocation List stores its hash signature. Software with such a recognized signature cannot run during boot, and the system boot fails to prevent compromising the system.

For example, a certain version of GRUB might contain a security issue that allows an attacker to bypass the Secure Boot mechanism. When the issue is found, the Revocation List adds hash signatures of all GRUB versions that contain the issue. As a result, only secure GRUB versions can boot on the system.

The Revocation List requires regular updates to recognize newly found issues. When updating the Revocation List, make sure to use a safe update method that does not cause your currently installed system to no longer boot.

20.4. Applying an online Revocation List update

You can update the Secure Boot Revocation List on your system so that Secure Boot prevents known security issues. This procedure is safe and ensures that the update does not prevent your system from booting.

Prerequisites

  • Your system can access the internet for updates.

Procedure

  1. Determine the current version of the Revocation List: 

    # fwupdmgr get-devices

    See the Current version field under UEFI dbx.

  2. Enable the LVFS Revocation List repository: 

    # fwupdmgr enable-remote lvfs

  3. Refresh the repository metadata: 

    # fwupdmgr refresh

  4. Apply the Revocation List update:

    • On the command line: 

      # fwupdmgr update

    • In the graphical interface:

      1. Open the Software application
      2. Navigate to the Updates tab.
      3. Find the Secure Boot dbx Configuration Update entry.
      4. Click Update.
  5. At the end of the update, fwupdmgr or Software asks you to reboot the system. Confirm the reboot.

Verification

  • After the reboot, check the current version of the Revocation List again: 

    # fwupdmgr get-devices

20.5. Applying an offline Revocation List update

On a system with no internet connection, you can update the Secure Boot Revocation List from RHEL so that Secure Boot prevents known security issues. This procedure is safe and ensures that the update does not prevent your system from booting.

Procedure

  1. Determine the current version of the Revocation List: 

    # fwupdmgr get-devices

    See the Current version field under UEFI dbx.

  2. List the updates available from RHEL: 

    # ls /usr/share/dbxtool/

  3. Select the most recent update file for your architecture. The file names use the following format: 

    DBXUpdate-date-architecture.cab

  4. Install the selected update file: 

    # fwupdmgr install /usr/share/dbxtool/DBXUpdate-date-architecture.cab
  5. At the end of the update, fwupdmgr asks you to reboot the system. Confirm the reboot.

Verification

  • After the reboot, check the current version of the Revocation List again: 

    # fwupdmgr get-devices