In UEFI Secure Boot, the dbx identifies keys that have been revoked and hashes of images that are no longer trusted and may not be loaded. An example of this might be a driver provided by vendor X whose driver exhibits some security vulnerability. Since the driver is signed by a common certificate, it is not possible to remove the certificate as other drivers rely upon it to be validated. Instead, a hash is made of vendor X driver (unique) which is then provided to the dbx and any attempt to load/execute that spe
パッチ (スコア:2, 参考になる)
UEFIを有効にしたコンピューターをサードパーティーのUEFIブートマネージャーが脆弱性にさらす可能性を修正する
って何だよと思ったんですが、File informationを見るとをDbxupdate.binというファイルが含まれているので UEFI Revocation List File [uefi.org]の更新のようです。
Lenovoのサイト [lenovo.com]にあった解説
In UEFI Secure Boot, the dbx identifies keys that have been revoked and hashes of images that are no longer trusted and may not be loaded. An example of this might be a driver provided by vendor X whose driver exhibits some security vulnerability. Since the driver is signed by a common certificate, it is not possible to remove the certificate as other drivers rely upon it to be validated. Instead, a hash is made of vendor X driver (unique) which is then provided to the dbx and any attempt to load/execute that spe
Re:パッチ (スコア:1)
https://twitter.com/ValdikSS/status/1228246175217864704 [twitter.com]
https://gist.github.com/ValdikSS/f054ea82c36551aa76bee4f771f65caf [github.com]
これっぽいですね。
dbxに追加されたハッシュの内、少なくとも一つは脆弱性のあるKaspersky Rescue Diskのブートローダーものだそうです。
Re: (スコア:0)
親コメントの環境はセキュリティソフトの更新がされない、脆弱性がある状態のまま運用してたというオチも有り得る?