[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: UEFI Revocation List being distributed by Debian


Appreciate your response. 

On May 7, 2020 00:26, Florian Weimer <fw@deneb.enyo.de> wrote:


* Paul Wise:

> This sort of data is liable to be out of date if included in the
> source code of fwupd, I think this should be separate to fwupd in the
> same way that tzdata is separate to glibc and DNSSEC root keys are
> separate to DNS servers and the web PKI CAs should be separate to web
> browsers. I suggest that fwupd download it directly from the UEFI
> website and update the copy within the boot firmware that way.

It also has to be optional and disabled by default because a future
dbx update may be specifically designed to stop Debian systems from
booting.  No Debian user will want to install such an update.

I should clarify the intent of this database was to measure the OEM's commitment to security. It was not for fwupd to distribute updated dbx database.

The only time dbx is modified is when known vulnerabilities are disclosed in a signed bootloader.

That type of action to update dbx should be specifically paired with an updated bootloader. Debian currently does not support this as I can tell.

Reply to: