Secure Boot Audit Tool¶
This tool exists to help a user audit the secure boot revocation list (dbx) on their system.
Limitations:
- Currently only supports windows
- The audit is only as good as the uefi.org csv file
This tool has three primary stages:
- Get the dbx from UEFI
- Convert the UEFI.org csv (xlsx) of revocations to json format for comparison
- Parse the dbx file and compare it against the uefi.org revocation sheet
Stage 1 (Retrieve the dbx file from your system)¶
Retrieve the dbx file from your system (As of right now this only works on Windows based systems)
```bash
python SecureBootReport.py get dbx
INFO:root:Wrote .\SecureBootFiles\dbx.bin
```
The dbx.bin file retrieved is the pure contents of the dbx file. (I.E it is unsigned).
Stage 2 (Convert the UEFI.org Excel Sheet)¶
```bash
python SecureBootReport.py convert_file dbx_info_2020_2023_uefiorg_v3.xlsx
INFO:root:Wrote report to .\SecureBootFiles\uefi_org_revocations.json
```
Flags:
--output
[not required] - allows for redirection of the output to a new path and name
Stage 3 (Parse the dbx using the revocations list)¶
```bash
python secureboot_audit.py parse_dbx dbx.bin uefi_org_revocations.json --filter-by-arch x86_64
INFO:root:Wrote report to .\SecureBootFiles\dbx_report.json
```
Understanding the output¶
```json
{
"identified": {
"dict": {
"C805603C4FA038776E42F263C604B49D96840322E1922D5606A9B0BBB5BFFE6F": {
"flat_hash_sha256": "2DF05C41ACC56D0F4C9371DA62EC6CB311C9AFB84B4A4D8C3738583CCC874D38",
"component": "BOOTX64.EFI",
"arch": "x86_64",
"partner": " Cisco Systems Inc.",
"type": "authenticode",
"cves": "CVE-2020-10713; CVE-2020-14308; CVE-2020-14309; CVE-2020-14310; CVE-2020-14311; CVE-2020-15705; CVE-2020-15706; CVE-2020-15707",
"date": "July 2020",
"authority": "Microsoft Corporation UEFI CA 2011",
"links": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-10713",
"https://nvd.nist.gov/vuln/detail/CVE-2020-14308",
"https://nvd.nist.gov/vuln/detail/CVE-2020-14309",
"https://nvd.nist.gov/vuln/detail/CVE-2020-14310",
"https://nvd.nist.gov/vuln/detail/CVE-2020-14311",
"https://nvd.nist.gov/vuln/detail/CVE-2020-15705",
"https://nvd.nist.gov/vuln/detail/CVE-2020-15706",
"https://nvd.nist.gov/vuln/detail/CVE-2020-15707"
]
}, // ...
},
"total": 183,
"note": "Represents all the hashes found in a systems dbx that match a provided revocation"
},
"missing_protections": {
"dict": {
"56FB79AAB26EE9D0E0CA372FB86A8BB459ACBC505D0AB35E6A632A3D5F88DCB3": {
"flat_hash_sha256": "AA6F27B8B2CA5826F497362042C003B5E1D7CA22383D82730FBC5C45E048D839",
"component": "bootia32.efi",
"arch": "x86",
"partner": "Neverware",
"type": "authenticode",
"cves": "CVE-2020-10713; CVE-2020-14308; CVE-2020-14309; CVE-2020-14310; CVE-2020-14311; CVE-2020-15705; CVE-2020-15706; CVE-2020-15707",
"date": "July 2020",
"authority": "Microsoft Corporation UEFI CA 2011",
"links": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-10713",
"https://nvd.nist.gov/vuln/detail/CVE-2020-14308",
"https://nvd.nist.gov/vuln/detail/CVE-2020-14309",
"https://nvd.nist.gov/vuln/detail/CVE-2020-14310",
"https://nvd.nist.gov/vuln/detail/CVE-2020-14311",
"https://nvd.nist.gov/vuln/detail/CVE-2020-15705",
"https://nvd.nist.gov/vuln/detail/CVE-2020-15706",
"https://nvd.nist.gov/vuln/detail/CVE-2020-15707"
]
}, // ...
},
"total": 54,
"note": "The remaining hashes in the provided revocation list that were not found in the system dbx"
},
"not_found": {
"list": [
"F52F83A3FA9CFBD6920F722824DBE4034534D25B8507246B3B957DAC6E1BCE7A",
// ...
],
"total": 84,
"note": "The hashes that were found in the dbx that are not in the provided revocation list"
}
}
```
The output is broken up into three sections:
identified
- All the revocations in a system's dbx that match a revocation provided in revoction listmissing_protections
- All the revocations that were provided in a revocation list that do not appear in a system's dbxnot_found
- All the revocations that were in the dbx, but were not in a provided revocation list
Flags:
--output
[not required] - allows for redirection of the output to a new path and name--format
[not required] - this allows the script to switch the output betweenjson
andxlsx
format--filter-by-arch
[not required] - this allows the script to filter byx86
,x86_64
,arm
,arm64
or if left offNone