[External] Re: [BUG] blacklist: Problem blacklisting hash (-13) during boot

[Mark Pearson]

Hi all,

On 2/27/23 09:36, Jeremy Kerr wrote:
> Hi Mark,
>
>
>> I've been looking at this and the FW team are claiming that it's not
>> caused by duplicate entries in the dbx table, which is honestly a bit
>> confusing.
>>
>> We've been doing some more digging - but is there a possibility this
>> is caused by something else?
> I can't quite trace where the EACCES is coming from, I can't see any
> obvious causes there - the blacklist key type doesn't have an ->update
> operation, and the assoc_array insert doesn't look like it would fail.
>
> However: if I delete one of the duplicate keys using the bios UI, then
> the number of errors logged decreases by one.
>
Got to the bottom of this, after a longer exercise than it should have 
been. I have some answers.

The entries are indeed duplicated in our DBX. The reason for this is the 
FW team took three different DBX list published by UEFI forum in 
different time series and combined them. They did this as they found 
some distinct hashes in previously published ones and chose to combine 
them for safety/completeness sake.

I haven't myself dug into the revocation lists hosted on 
https://uefi.org/revocationlistfile but it sounds like there was some 
churn there? The FW team agreed that duplicates should not have been 
created.

The FW team have pushed back on doing another update for this generation 
of platforms. Updating the DBX to make these changes, particularly 
removing entries, will apparently be difficult. I prodded a bit into the 
details but given the issue is essentially cosmetic I do understand 
their concerns (the last DBX update caused enough issues...I'm not sure 
I want to go through it again in a hurry).

They have said they will fix the tables for future platforms.

Hope that helps

Mark