Red Hat Bugzilla – Bug 870144
shim: revocations and "dbx" variable updates
Last modified: 2013-10-24 22:28:42 EDT
We need a way to revoke bad signatures, so that the signature on the "shim" EFI application doesn't have to be revoked, which would result in a lot of pain.
shim checks for revocations via the "dbx" variable (and provides a service to grub2), but we currently do not update the "dbx" variable, and we do not seem to be able to blacklist individual kernel modules.
The contents of the "dbx" variable is maintained externally and cryptographically protected, so we'll have to synchronize kernel and grub2 updates addressing Secure Boot issues with an external party. Doing our own revocation processing in addition to the "dbx" checks seems preferable.
(This obviously extends beyond the shim component, but I want to file it somewhere so that this does not get lost.)
There's no actual bug here...