= Proposed System Wide Change: UEFI Secure Boot Blacklist Updates = https://fedoraproject.org/wiki/Changes/UEFISecureBootBlacklistUpdates Change owner(s): Peter Jones <pjones@xxxxxxxxxx> Currently our implementation of UEFI Secure Boot does not include a facility to apply blacklist ("dbx") updates enabled by default. We provide a utility, dbxtool, which uses a systemd service to apply updates, and when there are updates we update that package with the new data. dbxtool is currently not installed on UEFI machines by default, and when it is installed, its systemd service does not default to enabled. == Detailed Description == In UEFI Secure Boot, the ability for a pre-boot binary such as a bootloader or hardware maintenance utility to be executed is determined by a whitelist of binaries and cryptographic signing certificates, as well as a blacklist of binaries and signing certificates which are no longer considered valid. When a signed binary is discovered to have vulnerabilities which allow it to be used to circumvent the Secure Boot security model, and thus render the system unable to prevent execution of pre-boot malware, the UEFI CA, in coordination with the UEFI Security Response Team (USRT) and the relevant software vendor, must undertake remedial action. The software vendor must fix their vulnerability and issue a new version of the software, and the old software must be blocked from execution on applicable machines. The first task is up to the vendor in question. Once the new version is ready (or when sufficient time has passed), if a vulnerability is being actively exploited or has a sufficiently high likelihood of being so, the UEFI CA issues a blacklist entry in the form of an update to the UEFI variable "dbx". That update is a cryptographically signed list of binaries and/or signing certificates in a format which may be appended to a specific UEFI variable. Currently Fedora includes the dbxtool [1] utility for updating the UEFI dbx blacklist. The dbxtool package includes the most recent UEFI CA blacklist update (they each include all data, so previous versions are not required) and a systemd service to ensure the update is applied to the system. Currently dbxtool is not installed by default on applicable systems, and when it is installed, its service is not enabled by default. This change principally takes place in three packages: * shim-signed must include a dependency on dbxtool * dbxtool must have systemd %pre and %post scriptlets added * systemd must include dbxtool.service in its 90-default.preset == Scope == * Proposal owners: Implement proposed change * Other developers: potentially the systemd-maint team, though I think I can commit the applicable change there. * Release engineering: N/A * Policies and guidelines: If we're keeping a list somewhere of things allowed to have system preset services, dbxtool should be added. [1] https://github.com/vathpela/dbxtool _______________________________________________ devel-announce mailing list devel-announce@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel-announce -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
