Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-24922

Unable to update the DBX database

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • rhel-7.9, rhel-8.9.0, rhel-9.3.0
    • fwupd
    • None
    • None
    • Critical
    • rhel-sst-display-hardware-multimedia
    • ssg_display
    • 2
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • All
    • None

      What were you trying to do that didn't work?

      Try to update the DBX database like written on:

      https://access.redhat.com/documentation/de-de/red_hat_enterprise_linux/9/html/managing_monitoring_and_updating_the_kernel/updating-the-secure-boot-revocation-list_managing-monitoring-and-updating-the-kernel

      Please provide the package NVR for which bug is seen:

      fwupd-1.8.16-1.el9.x86_64

      How reproducible:

      Every time

      Steps to reproduce

       fwupdmgr get-details /usr/share/dbxtool/DBXUpdate-20230509-x64.cab

      Expected results

      Working update of the dbx data base

      Actual results

       fwupdmgr get-details /usr/share/dbxtool/DBXUpdate-20230509-x64.cab 
      Decompressing...           [ -                                     ]
      VMware, Inc. VMware7,1
      │
      └─UEFI dbx:
        │   Device ID:          362301da643102b9f38477387e2193e57abaa590
        │   Summary:            UEFI revocation database
        │   Description:        
        │   Updating the UEFI dbx prevents starting EFI binaries with known security issues.
        │   Current version:    77
        │   Minimum Version:    77
        │   Vendor:             UEFI:Linux Foundation
        │   Install Duration:   1 second
        │   Update Error:       Not compatible with org.freedesktop.fwupd version 1.8.16, requires >= 1.9.1
        │   GUIDs:              c6682ade-b5ec-57c4-b687-676351208742
        │                       f8ba2887-9411-5c36-9cee-88995bb39731
        │   Device Flags:       • Internal device
        │                       • Needs a reboot after installation
        │                       • Device is usable for the duration of the update
        │                       • Updatable
        │                       • Only version upgrades are allowed
        │                       • Signed Payload
        │ 
        └─Secure Boot dbx:
              New version:      371
              Summary:          UEFI Secure Boot Forbidden Signature Database
              Variant:          x64
              License:          Proprietary
              Size:             21.2 kB
              Urgency:          High
              Release Flags:    • Trusted payload
                                • Trusted metadata
              Description:      
              Insecure versions of the Microsoft Windows boot manager affected by Black Lotus were added to the list of forbidden signatures due to a discovered security problem. This updates the dbx to the latest release from Microsoft.
              
              Before installing the update, fwupd will check for any affected executables in the ESP and will refuse to update if it finds any boot binaries signed with any of the forbidden signatures. Applying this update may also cause some Windows install media to not start correctly.
              Issue:            CVE-2022-21894
      

      So an update of fwupd will be needed for RHEL-9/8/7.

              rhn-engineering-rhughes Richard Hughes
              mdc_fbuettn Frank Büttner (Inactive)
              Richard Hughes Richard Hughes
              David Jaša David Jaša
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: