Microsoft guidance for applying Secure Boot DBX update


Summary


On July 29, 2020, Microsoft published security advisory 200011 that describes a new vulnerability that’s related to Secure Boot. Devices that trust the Microsoft third-party Unified Extensible Firmware Interface (UEFI) Certificate Authority (CA) in their Secure Boot configuration may be susceptible to an attacker who has administrative privileges or physical access to the device.

This article provides guidance to apply the latest Secure Boot DBX revocation list to invalidate the vulnerable modules. Microsoft plans to push an update to Windows Update to address this vulnerability after further testing in 2021.

The Secure Boot update binaries are hosted on https://uefi.org/revocationlistfile.

The posted files are as follows:

  • UEFI Revocation List File for x86 (32 bit) 
  • UEFI Revocation List File for x64 (64 bit)
  • UEFI Revocation List File for arm64

After these hashes are added to the Secure Boot DBX on your device, those applications will no longer be allowed to load.

Important This site hosts files for every architecture. Each hosted file includes only the hashes of applications that apply to the specific architecture. You must apply one of these files to every device, but make sure that you apply the file that is relevant to its architecture. Although it is technically possible to apply an update for a different architecture, not installing the appropriate update will leave the device unprotected.

More information


Applying a DBX update on Windows

After you read the warnings and verify that your device is compatible, follow these steps to update the Secure Boot DBX:

  1. Download the appropriate UEFI Revocation List File (Dbxupdate.bin) for your platform from https://uefi.org/revocationlistfile
  2. You will have to split the Dbxupdate.bin file into the necessary components in order to apply them by using PowerShell cmdlets. To do this, follow these steps
    1. Download the PowerShell script from https://aka.ms/DbxSplitScript.
    2. Run the following PowerShell script on the Dbxupdate.bin file:
         SplitDbxAuthInfo.ps1 “c:\path\to\file\dbxupdate.bin”         
    3. Verify that the command created the following files:
      • Content.bin – update contents
      • Signature.p7 – signature authorizing the update process
  3. In an administrative PowerShell session, run the Set-SecureBootUefi cmdlet to apply the DBX update:

    Set-SecureBootUefi -Name dbx -ContentFilePath .\content.bin -SignedFilePath .\signature.p7 -Time 2010-03-06T19:17:21Z -AppendWrite
  4. Restart the device to complete the process

For more information about the Secure Boot configuration cmdlet and how to use it for DBX updates, see Set-SecureBootUEFI.
 

Applying a DBX update on Linux

There are multiple open source Linux tools that make it easier to directly apply a DBX updates binary. Use the recommended tool for your distribution to apply the appropriate DBX file for the CPU architecture, and then restart your device. 

Red Hat hosts the following update tool on GitHub:

https://github.com/rhboot/dbxtool

For Ubuntu-based systems, the tool is pre-installed. Run the following commands after you download the Dbxupdate binary:

$ sudo cp ./dbxupdate_amd64.bin /usr/share/secureboot//updates/dbx/test.bin

$ sudo apt install --reinstall  secureboot-db