Comment 0 for bug 1776996

A signed variable update for secureboot dbx has been published by Microsoft to uefi.org; last updated 2016-08-11: http://www.uefi.org/sites/default/files/resources/dbxupdate.zip

This file has not been included in the secureboot-db package in Ubuntu; so users who only boot Ubuntu and not Windows will not have these revocations applied, meaning their firmware will trust (and possibly be exploitable by) whatever binaries these revoked hashes correspond to.

Separately, I seem in testing to be unable to apply this signed database update to my system using sbkeysync, despite having the Microsoft CA in my KEK. So it's possible that sbkeysync doesn't work; we may need to either fix it, or switch to other code that does work, such as the dbxtool in Fedora.