F22 System Wide Change: UEFI Secure Boot Blacklist Updates
jreznik at redhat.com
Fri Dec 12 14:44:20 UTC 2014
= Proposed System Wide Change: UEFI Secure Boot Blacklist Updates =
Change owner(s): Peter Jones <pjones at redhat.com>
Currently our implementation of UEFI Secure Boot does not include a facility
to apply blacklist ("dbx") updates enabled by default. We provide a utility,
dbxtool, which uses a systemd service to apply updates, and when there are
updates we update that package with the new data. dbxtool is currently not
installed on UEFI machines by default, and when it is installed, its systemd
service does not default to enabled.
== Detailed Description ==
In UEFI Secure Boot, the ability for a pre-boot binary such as a bootloader or
hardware maintenance utility to be executed is determined by a whitelist of
binaries and cryptographic signing certificates, as well as a blacklist of
binaries and signing certificates which are no longer considered valid. When a
signed binary is discovered to have vulnerabilities which allow it to be used
to circumvent the Secure Boot security model, and thus render the system
unable to prevent execution of pre-boot malware, the UEFI CA, in coordination
with the UEFI Security Response Team (USRT) and the relevant software vendor,
must undertake remedial action. The software vendor must fix their
vulnerability and issue a new version of the software, and the old software
must be blocked from execution on applicable machines.
The first task is up to the vendor in question. Once the new version is ready
(or when sufficient time has passed), if a vulnerability is being actively
exploited or has a sufficiently high likelihood of being so, the UEFI CA issues
a blacklist entry in the form of an update to the UEFI variable "dbx". That
update is a cryptographically signed list of binaries and/or signing
certificates in a format which may be appended to a specific UEFI variable.
Currently Fedora includes the dbxtool  utility for updating the UEFI dbx
blacklist. The dbxtool package includes the most recent UEFI CA blacklist
update (they each include all data, so previous versions are not required) and
a systemd service to ensure the update is applied to the system. Currently
dbxtool is not installed by default on applicable systems, and when it is
installed, its service is not enabled by default.
This change principally takes place in three packages:
* shim-signed must include a dependency on dbxtool
* dbxtool must have systemd %pre and %post scriptlets added
* systemd must include dbxtool.service in its 90-default.preset
== Scope ==
* Proposal owners: Implement proposed change
* Other developers: potentially the systemd-maint team, though I think I can
commit the applicable change there.
* Release engineering: N/A
* Policies and guidelines: If we're keeping a list somewhere of things allowed
to have system preset services, dbxtool should be added.
devel-announce mailing list
devel-announce at lists.fedoraproject.org
More information about the devel