F22 System Wide Change: UEFI Secure Boot Blacklist Updates

[Jaroslav Reznik]

= Proposed System Wide Change: UEFI Secure Boot Blacklist Updates =
https://fedoraproject.org/wiki/Changes/UEFISecureBootBlacklistUpdates

Change owner(s): Peter Jones <pjones at redhat.com>

Currently our implementation of UEFI Secure Boot does not include a facility 
to apply blacklist ("dbx") updates enabled by default. We provide a utility, 
dbxtool, which uses a systemd service to apply updates, and when there are 
updates we update that package with the new data. dbxtool is currently not 
installed on UEFI machines by default, and when it is installed, its systemd 
service does not default to enabled. 

== Detailed Description ==
In UEFI Secure Boot, the ability for a pre-boot binary such as a bootloader or 
hardware maintenance utility to be executed is determined by a whitelist of 
binaries and cryptographic signing certificates, as well as a blacklist of 
binaries and signing certificates which are no longer considered valid. When a 
signed binary is discovered to have vulnerabilities which allow it to be used 
to circumvent the Secure Boot security model, and thus render the system 
unable to prevent execution of pre-boot malware, the UEFI CA, in coordination 
with the UEFI Security Response Team (USRT) and the relevant software vendor, 
must undertake remedial action. The software vendor must fix their 
vulnerability and issue a new version of the software, and the old software 
must be blocked from execution on applicable machines.

The first task is up to the vendor in question. Once the new version is ready 
(or when sufficient time has passed), if a vulnerability is being actively 
exploited or has a sufficiently high likelihood of being so, the UEFI CA issues 
a blacklist entry in the form of an update to the UEFI variable "dbx". That 
update is a cryptographically signed list of binaries and/or signing 
certificates in a format which may be appended to a specific UEFI variable.

Currently Fedora includes the dbxtool [1] utility for updating the UEFI dbx 
blacklist. The dbxtool package includes the most recent UEFI CA blacklist 
update (they each include all data, so previous versions are not required) and 
a systemd service to ensure the update is applied to the system. Currently 
dbxtool is not installed by default on applicable systems, and when it is 
installed, its service is not enabled by default.
This change principally takes place in three packages:

* shim-signed must include a dependency on dbxtool
* dbxtool must have systemd %pre and %post scriptlets added
* systemd must include dbxtool.service in its 90-default.preset

== Scope ==
* Proposal owners: Implement proposed change
* Other developers: potentially the systemd-maint team, though I think I can 
commit the applicable change there.
* Release engineering: N/A
* Policies and guidelines: If we're keeping a list somewhere of things allowed 
to have system preset services, dbxtool should be added.

[1] https://github.com/vathpela/dbxtool