Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-24922

Unable to update the DBX database

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • rhel-7.9, rhel-8.9.0, rhel-9.3.0
    • fwupd
    • None
    • None
    • Critical
    • sst_desktop_firmware_bootloaders
    • ssg_desktop
    • 2
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • All
    • None

      What were you trying to do that didn't work?

      Try to update the DBX database like written on:

      https://access.redhat.com/documentation/de-de/red_hat_enterprise_linux/9/html/managing_monitoring_and_updating_the_kernel/updating-the-secure-boot-revocation-list_managing-monitoring-and-updating-the-kernel

      Please provide the package NVR for which bug is seen:

      fwupd-1.8.16-1.el9.x86_64

      How reproducible:

      Every time

      Steps to reproduce

       fwupdmgr get-details /usr/share/dbxtool/DBXUpdate-20230509-x64.cab

      Expected results

      Working update of the dbx data base

      Actual results

       fwupdmgr get-details /usr/share/dbxtool/DBXUpdate-20230509-x64.cab 
Decompressing...           [ -                                     ]
VMware, Inc. VMware7,1
│
└─UEFI dbx:
  │   Device ID:          362301da643102b9f38477387e2193e57abaa590
  │   Summary:            UEFI revocation database
  │   Description:        
  │   Updating the UEFI dbx prevents starting EFI binaries with known security issues.
  │   Current version:    77
  │   Minimum Version:    77
  │   Vendor:             UEFI:Linux Foundation
  │   Install Duration:   1 second
  │   Update Error:       Not compatible with org.freedesktop.fwupd version 1.8.16, requires >= 1.9.1
  │   GUIDs:              c6682ade-b5ec-57c4-b687-676351208742
  │                       f8ba2887-9411-5c36-9cee-88995bb39731
  │   Device Flags:       • Internal device
  │                       • Needs a reboot after installation
  │                       • Device is usable for the duration of the update
  │                       • Updatable
  │                       • Only version upgrades are allowed
  │                       • Signed Payload
  │ 
  └─Secure Boot dbx:
        New version:      371
        Summary:          UEFI Secure Boot Forbidden Signature Database
        Variant:          x64
        License:          Proprietary
        Size:             21.2 kB
        Urgency:          High
        Release Flags:    • Trusted payload
                          • Trusted metadata
        Description:      
        Insecure versions of the Microsoft Windows boot manager affected by Black Lotus were added to the list of forbidden signatures due to a discovered security problem. This updates the dbx to the latest release from Microsoft.
        
        Before installing the update, fwupd will check for any affected executables in the ESP and will refuse to update if it finds any boot binaries signed with any of the forbidden signatures. Applying this update may also cause some Windows install media to not start correctly.
        Issue:            CVE-2022-21894

      So an update of fwupd will be needed for RHEL-9/8/7.

            rhn-engineering-rhughes Richard Hughes
            mdc_fbuettn Frank Büttner
            Richard Hughes Richard Hughes
            Oliver Gutiérrez Suárez Oliver Gutiérrez Suárez
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: