Software Delivery Repository
Software Delivery Repository | Getting Started | FAQ | RepositoriesHexane Secure Boot key updater for Linux
|
The HPE hexane package will update your HPE server's Secure Boot database. From time to time, vulnerabilities are discovered in bootloaders, kernels and efi executables. Updating your hardware's DBX database ensures this compromised code can never boot. Additionally, older servers (Gen9) will also receive an updated permissive database (DB) including the latest HPE code-signing key used to sign HPE Linux drivers. Keep in mind that some older (prior to March 2021) boot environments from HPE will no longer boot with Secure Boot enabled after the system DBX is updated. This includes older versions of the
DBX hashes provided by Hexane to remediate the following CVEs which apply to older HPE boot media:
DB/KEK permissive database keys, required for Gen9 servers if using HPE drivers compiled after 2020:
Additional industry-wide DBX hashes are available from uefi.org's UEFI DBX Revocation List If Secure Boot is disabled (less secure) on your HPE server, updating the SecureBoot database has no effect, and this update is not necessary.
Usagehexane.sh [options]
|
Browse |
Subscribe RPM-based systems to the hexane repository
Cut-n-paste the following section (substituting distribution, architecture and project version)
into /etc/yum.repos.d/hexane.repo (RedHat) or /etc/zypper.repos.d/hexane.repo (SUSE) on your system:
[hexane]
name=Hexane DBX updater
baseurl=http://downloads.linux.hpe.com/repo/hexane/dist/dist_ver/x86_64/current/
enabled=1
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-hexane
Where:
dist RedHat, SUSE
dist_ver 8, 7, 12, 15
Subscribe Deb-based systems to the hexane repository
Cut-n-paste the following section (substituting distribution, architecture and project version)
into /etc/apt/sources.list.d/hexane.list on your system:
# HPE Hexane DBX updater
deb http://downloads.linux.hpe.com/SDR/repo/hexane dist/current contrib
Where:
dist focal, bionic, buster
Install the HPE public gpg key
apt-key add https://downloads.linux.hpe.com/SDR/hpePublicKey2048_key1.pub
Update the local apt indexes
# apt-get update
Install a Hexane
# apt-get install hexane
Customer requested features and tips
Set export HEXANE_FLASH=true to update the system DBX as the rpm/deb package installs.
Examples
# hexane.sh --flash Note: Last line "Inserting key update" (success)
.
.
.
87e51b556514e8a74476c38e728c6ee000d0d8f52e5b5a81ccbb25e5a016f54a
from /usr/share/hpe/secureboot//dbx/dbxupdate20200715_HPE2016KEK.bin
d2d3eb4abe615fbe688de3805ec200b83fa5988912f3b66ea8c5077968962deb
from /usr/share/hpe/secureboot//dbx/dbxupdate20200715_HPE2016KEK.bin
9288e76794ac137234ef162f02397ff30e7f96f6037beddfd721e9ed6e0a014c
from /usr/share/hpe/secureboot//dbx/dbxupdate20200715_HPE2016KEK.bin
New keys in filesystem:
/usr/share/hpe/secureboot//dbx/dbxupdate20200715_HP2013KEK.bin
Inserting key update /usr/share/hpe/secureboot//dbx/dbxupdate20200715_HP2013KEK.bin into dbx
# hexane.sh --test Note: "New keys in filesystem" and not in DBX (insecure)
.
.
.
d2d3eb4abe615fbe688de3805ec200b83fa5988912f3b66ea8c5077968962deb
from /usr/share/hpe/secureboot//dbx/dbxupdate20200715_HPE2016KEK.bin
9288e76794ac137234ef162f02397ff30e7f96f6037beddfd721e9ed6e0a014c
from /usr/share/hpe/secureboot//dbx/dbxupdate20200715_HPE2016KEK.bin
New keys in filesystem:
/usr/share/hpe/secureboot//dbx/dbxupdate20200715_HPE2016KEK.bin
/usr/share/hpe/secureboot//dbx/dbxupdate20200715_HP2013KEK.bin
# hexane.sh --test Note: No "New keys in filesystem" (secure)
.
.
.
d2d3eb4abe615fbe688de3805ec200b83fa5988912f3b66ea8c5077968962deb
from /usr/share/hpe/secureboot//dbx/dbxupdate20200715_HPE2016KEK.bin
9288e76794ac137234ef162f02397ff30e7f96f6037beddfd721e9ed6e0a014c
from /usr/share/hpe/secureboot//dbx/dbxupdate20200715_HPE2016KEK.bin
New keys in filesystem:
Hexane was derrived from Canonical's sbsigntools,
and licensed under the GPL.