Re: [External] Re: [BUG] blacklist: Problem blacklisting hash (-13) during boot

From: Mark Pearson
Date: Tue Mar 07 2023 - 08:46:47 EST


Hi all,

On 2/27/23 09:36, Jeremy Kerr wrote:
Hi Mark,


I've been looking at this and the FW team are claiming that it's not
caused by duplicate entries in the dbx table, which is honestly a bit
confusing.

We've been doing some more digging - but is there a possibility this
is caused by something else?
I can't quite trace where the EACCES is coming from, I can't see any
obvious causes there - the blacklist key type doesn't have an ->update
operation, and the assoc_array insert doesn't look like it would fail.

However: if I delete one of the duplicate keys using the bios UI, then
the number of errors logged decreases by one.

Got to the bottom of this, after a longer exercise than it should have been. I have some answers.

The entries are indeed duplicated in our DBX. The reason for this is the FW team took three different DBX list published by UEFI forum in different time series and combined them. They did this as they found some distinct hashes in previously published ones and chose to combine them for safety/completeness sake.

I haven't myself dug into the revocation lists hosted on https://uefi.org/revocationlistfile but it sounds like there was some churn there? The FW team agreed that duplicates should not have been created.

The FW team have pushed back on doing another update for this generation of platforms. Updating the DBX to make these changes, particularly removing entries, will apparently be difficult. I prodded a bit into the details but given the issue is essentially cosmetic I do understand their concerns (the last DBX update caused enough issues...I'm not sure I want to go through it again in a hurry).

They have said they will fix the tables for future platforms.

Hope that helps

Mark