Add some missing dbx files, and fix up some invalid dates

Many thanks to Youfu Zhang! Fixes #4
fwupd · Mar 12, 2024 · b6c6f98 · b6c6f98
1 parent 078c53a
commit b6c6f98
Show file tree

Hide file tree

Showing 17 changed files with 159 additions and 12 deletions.
diff --git a/DBXUpdate-20100307.x64.bin → DBXUpdate-20131210.ia32+x64.bin b/DBXUpdate-20100307.x64.bin → DBXUpdate-20131210.ia32+x64.bin
diff --git a/DBXUpdate-20140413.x64.bin → DBXUpdate-2014-04-13-22-14-00.bin b/DBXUpdate-20140413.x64.bin → DBXUpdate-2014-04-13-22-14-00.bin
diff --git a/DBXUpdate-20140227.ia32+x64.bin b/DBXUpdate-20140227.ia32+x64.bin
diff --git a/DBXUpdate-20140513.ia32+x64.bin b/DBXUpdate-20140513.ia32+x64.bin
diff --git a/DBXUpdate-20160809.x64.bin → DBXUpdate-20160809.ia32+x64+arm+aa64.bin b/DBXUpdate-20160809.x64.bin → DBXUpdate-20160809.ia32+x64+arm+aa64.bin
diff --git a/DBXUpdate-20200211.ia32+x64+arm+aa64.bin b/DBXUpdate-20200211.ia32+x64+arm+aa64.bin
diff --git a/DBXUpdate-20200211.x64.bin b/DBXUpdate-20200211.x64.bin
diff --git a/DBXUpdate-20201012.x64.bin b/DBXUpdate-20201012.x64.bin
diff --git a/DBXUpdate-20201012.x64.metainfo.xml b/DBXUpdate-20201012.x64.metainfo.xml
@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Copyright 2022 Richard Hughes <[email protected]> -->
+<component type="firmware">
+  <id>org.linuxfoundation.dbx.x64.firmware</id>
+  <name>Secure Boot dbx</name>
+  <name_variant_suffix>x64</name_variant_suffix>
+  <summary>UEFI Secure Boot Forbidden Signature Database</summary>
+  <description>
+    <p>
+      Updating the UEFI dbx prevents starting EFI binaries with known security issues.
+    </p>
+  </description>
+  <provides>
+    <!-- Microsoft Corporation KEK CA 2011 -
+    UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503&ARCH_X64 -->
+    <firmware type="flashed">f8ba2887-9411-5c36-9cee-88995bb39731</firmware>
+  </provides>
+  <url type="homepage">https://uefi.org/revocationlistfile</url>
+  <metadata_license>CC0-1.0</metadata_license>
+  <project_license>proprietary</project_license>
+  <developer_name>Microsoft Corporation</developer_name>
+  <releases>
+    <!-- for the version use `fwupdtool firmware-parse foo.bin efi-signature-list` -->
+    <release urgency="high" version="183" date="2020-10-12">
+      <checksum filename="DBXUpdate-20201012.x64.bin" target="content"/>
+      <description>
+        <p>
+          An insecure version of software from Cisco has been added to the list of forbidden
+          signatures due to a discovered security problem.
+          This updates the dbx to the latest release from Microsoft.
+        </p>
+        <p>
+          Before installing the update, fwupd will check for any affected executables
+          in the ESP and will refuse to update if it finds any boot binaries signed
+          with any of the forbidden signatures.
+        </p>
+      </description>
+      <issues>
+        <issue type="cve">CVE-2023-28005</issue>
+      </issues>
+    </release>
+  </releases>
+  <requires>
+    <id compare="ge" version="1.8.14">org.freedesktop.fwupd</id>
+  </requires>
+  <custom>
+    <value key="LVFS::UpdateProtocol">org.uefi.dbx</value>
+    <value key="LVFS::VersionFormat">number</value>
+  </custom>
+  <categories>
+    <category>X-Configuration</category>
+  </categories>
+</component>
diff --git a/DBXUpdate-20220812.ia32.bin → DBXUpdate-20220809.ia32.bin b/DBXUpdate-20220812.ia32.bin → DBXUpdate-20220809.ia32.bin
diff --git a/DBXUpdate-20220812.x64.bin → DBXUpdate-20220809.x64.bin b/DBXUpdate-20220812.x64.bin → DBXUpdate-20220809.x64.bin
diff --git a/DBXUpdate-20230314.aa64.bin → DBXUpdate-20220907.aa64.bin b/DBXUpdate-20230314.aa64.bin → DBXUpdate-20220907.aa64.bin
diff --git a/DBXUpdate-20220907.aa64.metainfo.xml b/DBXUpdate-20220907.aa64.metainfo.xml
@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Copyright 2022 Richard Hughes <[email protected]> -->
+<component type="firmware">
+  <id>org.linuxfoundation.dbx.aa64.firmware</id>
+  <name>Secure Boot dbx</name>
+  <name_variant_suffix>aa64</name_variant_suffix>
+  <summary>UEFI Secure Boot Forbidden Signature Database</summary>
+  <description>
+    <p>
+      Updating the UEFI dbx prevents starting EFI binaries with known security issues.
+    </p>
+  </description>
+  <provides>
+    <!-- Microsoft Corporation KEK CA 2011 -
+    UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503&ARCH_AA64 -->
+    <firmware type="flashed">67d35028-ca5b-5834-834a-f97380381082</firmware>
+  </provides>
+  <url type="homepage">https://uefi.org/revocationlistfile</url>
+  <metadata_license>CC0-1.0</metadata_license>
+  <project_license>proprietary</project_license>
+  <developer_name>Microsoft Corporation</developer_name>
+  <releases>
+    <!-- for the version use `fwupdtool firmware-parse foo.bin efi-signature-list` -->
+    <release urgency="high" version="22" date="2022-09-07">
+      <checksum filename="DBXUpdate-20220907.aa64.bin" target="content"/>
+      <description>
+        <p>
+          An insecure version of software from VMware has been added to the list of forbidden
+          signatures due to a discovered security problem.
+          This updates the dbx to the latest release from Microsoft.
+        </p>
+        <p>
+          Before installing the update, fwupd will check for any affected executables
+          in the ESP and will refuse to update if it finds any boot binaries signed
+          with any of the forbidden signatures.
+        </p>
+      </description>
+      <issues>
+        <issue type="cve">CVE-2023-28005</issue>
+      </issues>
+    </release>
+  </releases>
+  <requires>
+    <id compare="ge" version="1.8.14">org.freedesktop.fwupd</id>
+  </requires>
+  <custom>
+    <value key="LVFS::UpdateProtocol">org.uefi.dbx</value>
+    <value key="LVFS::VersionFormat">number</value>
+  </custom>
+  <categories>
+    <category>X-Configuration</category>
+  </categories>
+</component>
diff --git a/DBXUpdate-20220907.x64.bin b/DBXUpdate-20220907.x64.bin
diff --git a/DBXUpdate-20220907.x64.metainfo.xml b/DBXUpdate-20220907.x64.metainfo.xml
@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- Copyright 2022 Richard Hughes <[email protected]> -->
+<component type="firmware">
+  <id>org.linuxfoundation.dbx.x64.firmware</id>
+  <name>Secure Boot dbx</name>
+  <name_variant_suffix>x64</name_variant_suffix>
+  <summary>UEFI Secure Boot Forbidden Signature Database</summary>
+  <description>
+    <p>
+      Updating the UEFI dbx prevents starting EFI binaries with known security issues.
+    </p>
+  </description>
+  <provides>
+    <!-- Microsoft Corporation KEK CA 2011 -
+    UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503&ARCH_X64 -->
+    <firmware type="flashed">f8ba2887-9411-5c36-9cee-88995bb39731</firmware>
+  </provides>
+  <url type="homepage">https://uefi.org/revocationlistfile</url>
+  <metadata_license>CC0-1.0</metadata_license>
+  <project_license>proprietary</project_license>
+  <developer_name>Microsoft Corporation</developer_name>
+  <releases>
+    <!-- for the version use `fwupdtool firmware-parse foo.bin efi-signature-list` -->
+    <release urgency="high" version="218" date="2022-09-07">
+      <checksum filename="DBXUpdate-20220907.x64.bin" target="content"/>
+      <description>
+        <p>
+          An insecure version of software from VMware has been added to the list of forbidden
+          signatures due to a discovered security problem.
+          This updates the dbx to the latest release from Microsoft.
+        </p>
+        <p>
+          Before installing the update, fwupd will check for any affected executables
+          in the ESP and will refuse to update if it finds any boot binaries signed
+          with any of the forbidden signatures.
+        </p>
+      </description>
+      <issues>
+        <issue type="cve">CVE-2023-28005</issue>
+      </issues>
+    </release>
+  </releases>
+  <requires>
+    <id compare="ge" version="1.8.14">org.freedesktop.fwupd</id>
+  </requires>
+  <custom>
+    <value key="LVFS::UpdateProtocol">org.uefi.dbx</value>
+    <value key="LVFS::VersionFormat">number</value>
+  </custom>
+  <categories>
+    <category>X-Configuration</category>
+  </categories>
+</component>
diff --git a/DBXUpdate-20220812.aa64.bin → DBXUpdate-DBXUpdate-20220809.aa64.bin b/DBXUpdate-20220812.aa64.bin → DBXUpdate-DBXUpdate-20220809.aa64.bin
diff --git a/Makefile b/Makefile
@@ -1,16 +1,4 @@
 all:
-	gcab --create --nopath DBXUpdate-20100307-x64.cab DBXUpdate-20100307.x64.bin DBXUpdate-20100307.x64.metainfo.xml
-	gcab --create --nopath DBXUpdate-20140413-x64.cab DBXUpdate-20140413.x64.bin DBXUpdate-20140413.x64.metainfo.xml
-	gcab --create --nopath DBXUpdate-20160809-x64.cab DBXUpdate-20160809.x64.bin DBXUpdate-20160809.x64.metainfo.xml
-	gcab --create --nopath DBXUpdate-20200729-aa64.cab DBXUpdate-20200729.aa64.bin DBXUpdate-20200729.aa64.metainfo.xml
-	gcab --create --nopath DBXUpdate-20200729-ia32.cab DBXUpdate-20200729.ia32.bin DBXUpdate-20200729.ia32.metainfo.xml
-	gcab --create --nopath DBXUpdate-20200729-x64.cab DBXUpdate-20200729.x64.bin DBXUpdate-20200729.x64.metainfo.xml
-	gcab --create --nopath DBXUpdate-20210429-aa64.cab DBXUpdate-20210429.aa64.bin DBXUpdate-20210429.aa64.metainfo.xml
-	gcab --create --nopath DBXUpdate-20210429-ia32.cab DBXUpdate-20210429.ia32.bin DBXUpdate-20210429.ia32.metainfo.xml
-	gcab --create --nopath DBXUpdate-20210429-x64.cab DBXUpdate-20210429.x64.bin DBXUpdate-20210429.x64.metainfo.xml
-	gcab --create --nopath DBXUpdate-20220812-aa64.cab DBXUpdate-20220812.aa64.bin DBXUpdate-20220812.aa64.metainfo.xml
-	gcab --create --nopath DBXUpdate-20220812-ia32.cab DBXUpdate-20220812.ia32.bin DBXUpdate-20220812.ia32.metainfo.xml
-	gcab --create --nopath DBXUpdate-20220812-x64.cab DBXUpdate-20220812.x64.bin DBXUpdate-20220812.x64.metainfo.xml
 	gcab --create --nopath DBXUpdate-20230314-aa64.cab DBXUpdate-20230314.aa64.bin DBXUpdate-20230314.aa64.metainfo.xml
 	gcab --create --nopath DBXUpdate-20230314-ia32.cab DBXUpdate-20230314.ia32.bin DBXUpdate-20230314.ia32.metainfo.xml
 	gcab --create --nopath DBXUpdate-20230314-x64.cab DBXUpdate-20230314.x64.bin DBXUpdate-20230314.x64.metainfo.xml