Re: Rescatux 0.41b1 released with UEFI rescue options
On 04/24/2017 11:02 AM, Lee Fisher wrote:
> On 04/22/2017 02:25 PM, adrian15 wrote:
> Nice to see more pre-boot diagnostics available! Here are a few things
> I'd like to see in a Rescatux (or inside D-I for that matter):
One more I forgot:
6) Check UEFI DBX revocation file for bad Secure Boot certs
Have an option to download the latest DBX file from UEFI.org, the UEFI
Secure Boot revocation file. UEFI does not use CRL/OSCP, you have to
periodically grab this file and check it against your system's keys,
updating it. It does not update often, so you could cache a copy on your
rescue distro image, if you need to work offline.
I believe Peter Jones of Red Hat had a dbxtool that is useful for Red
Hat systems, unclear if this can be used on Debian systems. I am not
sure how hardware-dependent and/or OS-dependent this is.
If you don't update your system with these updated keys, it is like
using a browser with a bunch of bad CA root keys. Only commercial OSes
check for this, no community Linux distros, AFAICT. It'd be great to
have a rescue distro to help with this.