On Jan 15, 2021, at 10:21 AM, James Bottomley [off-list ref] wrote:

On Tue, 2020-09-15 at 20:49 -0400, Eric Snowberg wrote:

quoted

The Secure Boot Forbidden Signature Database, dbx, contains a list of
now revoked signatures and keys previously approved to boot with UEFI
Secure Boot enabled.  The dbx is capable of containing any number of
EFI_CERT_X509_SHA256_GUID, EFI_CERT_SHA256_GUID, and
EFI_CERT_X509_GUID entries.

Currently when EFI_CERT_X509_GUID are contained in the dbx, the
entries are skipped.

Add support for EFI_CERT_X509_GUID dbx entries. When a
EFI_CERT_X509_GUID is found, it is added as an asymmetrical key to
the .blacklist keyring. Anytime the .platform keyring is used, the
keys in the .blacklist keyring are referenced, if a matching key is
found, the key will be rejected.

Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>

If you're using shim, as most of our users are, you have no access to
dbx to blacklist certificates.  Plus our security envelope includes the
Mok variables, so you should also be paying attestion to MokListX (or
it's RT equivalent: MokListXRT).

If you add this to the patch, we get something that is mechanistically
complete and which also allows users to add certs to their Mok
blacklist.

That make sense. I’ll work on a patch to add this ability.