On July 29, 2020, Microsoft published security advisory 200011 that describes a new vulnerability that’s related to Secure Boot. Devices that trust the Microsoft third-party Unified Extensible Firmware Interface (UEFI) Certificate Authority (CA) in their Secure Boot configuration may be susceptible to an attacker who has administrative privileges or physical access to the device.
This article provides guidance to apply the latest Secure Boot DBX revocation list to invalidate the vulnerable modules. Microsoft plans to push an update to Windows Update to address this vulnerability after further testing in 2021.
The Secure Boot update binaries are hosted on https://uefi.org/revocationlistfile.
The posted files are as follows:
- UEFI Revocation List File for x86 (32 bit)
- UEFI Revocation List File for x64 (64 bit)
- UEFI Revocation List File for arm64
After these hashes are added to the Secure Boot DBX on your device, those applications will no longer be allowed to load.
Important This site hosts files for every architecture. Each hosted file includes only the hashes of applications that apply to the specific architecture. You must apply one of these files to every device, but make sure that you apply the file that is relevant to its architecture. Although it is technically possible to apply an update for a different architecture, not installing the appropriate update will leave the device unprotected.
Read the main advisory article about this vulnerability before you try any of these steps. Incorrectly applying DBX updates could prevent your device from starting.
You should follow these steps only if the following conditions are true:
- You have verified that your device trusts the third-party UEFI CA in your Secure Boot configuration.
- You can do this by running the following line of PowerShell from an administrative PowerShell session:
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Microsoft Corporation UEFI CA 2011'
- You do not rely on starting any of the boot applications that are being blocked by this update.
Applying a DBX update on Windows
After you read the warnings and verify that your device is compatible, follow these steps to update the Secure Boot DBX:
- Download the appropriate UEFI Revocation List File (Dbxupdate.bin) for your platform from https://uefi.org/revocationlistfile.
- You will have to split the Dbxupdate.bin file into the necessary components in order to apply them by using PowerShell cmdlets. To do this, follow these steps
- Download the PowerShell script from https://aka.ms/DbxSplitScript.
- Run the following PowerShell script on the Dbxupdate.bin file:
- Verify that the command created the following files:
- Content.bin – update contents
- Signature.p7 – signature authorizing the update process
- In an administrative PowerShell session, run the Set-SecureBootUefi cmdlet to apply the DBX update:
Set-SecureBootUefi -Name dbx -ContentFilePath .\content.bin -SignedFilePath .\signature.p7 -Time 2010-03-06T19:17:21Z -AppendWrite
- Restart the device to complete the process
For more information about the Secure Boot configuration cmdlet and how to use it for DBX updates, see Set-Secure
Applying a DBX update on Linux
There are multiple open source Linux tools that make it easier to directly apply a DBX updates binary. Use the recommended tool for your distribution to apply the appropriate DBX file for the CPU architecture, and then restart your device.
Red Hat hosts the following update tool on GitHub:
For Ubuntu-based systems, the tool is pre-installed. Run the following commands after you download the Dbxupdate binary:
$ sudo cp ./dbxupdate_amd64.bin /usr/share/secureboot//updates/dbx/test.bin
$ sudo apt install --reinstall secureboot-db
For more information, refer to your Linux distribution provider’s advisory:
- Canonical: https://ubuntu.com/security/notices/USN4432-1
- Debian: https://www.debian.org/security/2020GRUB-UEFI-SecureBoot
- Red Hat: https://access.redhat.com/security/vulnerabilities/grub2bootloader
Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 Version 2004 for 32-bit Systems
Windows 10 Version 2004 for ARM64-based Systems
Windows 10 Version 2004 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1803 for 32-bit Systems
Windows 10 Version 1803 for ARM64-based Systems
Windows 10 Version 1803 for x64-based Systems
Windows 10 Version 1709 for 32-bit Systems
Windows 10 Version 1709 for ARM64-based Systems
Windows 10 Version 1709 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 8.1 for 32-bit systems
Windows 8.1 for x64-based systems
Windows RT 8.1
Windows Server, version 2004 (Server Core installation)
Windows Server, version 1909 (Server Core installation)
Windows Server, version 1903 (Server Core installation)
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)