Software Delivery Repository

Software Delivery Repository   |   Getting Started   |   FAQ  |  Repositories

Hexane Secure Boot key updater for Linux

The HPE hexane package will update your HPE server's Secure Boot database.


From time to time, vulnerabilities are discovered in bootloaders, kernels and efi executables. Updating your hardware's DBX database ensures this compromised code can never boot. Additionally, older servers will also receive an updated permissive database (DB) including the latest HPE code-signing key used to sign HPE Linux drivers.


Keep in mind that some older (August 2020) boot environments from HPE will no longer boot with Secure Boot enabled after the system DBX is updated. This includes older versions of the



Secureboot vulnerabilities remediated by the current version of Hexane:


Additional industry-wide DBX hashes are available from uefi.org's UEFI DBX Revocation List


If Secure Boot is disabled (less secure) on your HPE server, updating the SecureBoot database has no effect, and this update is not necessary.


Usage


hexane.sh   [options]
    --test  Compare system variables with hashes provided by this version of hexane
    --flash  Update DBX with hashes/keys provided in /usr/share/hpe/secureboot/dbx
    --help  More information about HPE DBX updates.



  Browse


Subscribe RPM-based systems to the hexane repository

Cut-n-paste the following section (substituting distribution, architecture and project version) into /etc/yum.repos.d/hexane.repo (RedHat) or /etc/zypper.repos.d/hexane.repo (SUSE) on your system:


[hexane]
name=Hexane DBX updater
baseurl=http://downloads.linux.hpe.com/repo/hexane/dist/dist_ver/x86_64/current/
enabled=1
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-hexane


Where:

   dist          RedHat, SUSE 
   dist_ver      8, 7, 12, 15
        


Subscribe Deb-based systems to the hexane repository

Cut-n-paste the following section (substituting distribution, architecture and project version) into /etc/apt/sources.list.d/hexane.list on your system:


# HPE Hexane DBX updater
deb http://downloads.linux.hpe.com/SDR/repo/hexane dist/current contrib


Where:

   dist             focal, bionic, buster
        


Install the HPE public gpg key

apt-key add https://downloads.linux.hpe.com/SDR/hpePublicKey2048_key1.pub


Update the local apt indexes

# apt-get update


Install a Hexane

# apt-get install hexane



Customer requested features and tips


Set export HEXANE_FLASH=true to update the system DBX as the rpm/deb package installs.



Examples


# hexane.sh --flash   Note: Last line "Inserting key update" (success)
.
.
.
    87e51b556514e8a74476c38e728c6ee000d0d8f52e5b5a81ccbb25e5a016f54a
     from /usr/share/hpe/secureboot//dbx/dbxupdate20200715_HPE2016KEK.bin
    d2d3eb4abe615fbe688de3805ec200b83fa5988912f3b66ea8c5077968962deb
     from /usr/share/hpe/secureboot//dbx/dbxupdate20200715_HPE2016KEK.bin
    9288e76794ac137234ef162f02397ff30e7f96f6037beddfd721e9ed6e0a014c
     from /usr/share/hpe/secureboot//dbx/dbxupdate20200715_HPE2016KEK.bin
New keys in filesystem:
 /usr/share/hpe/secureboot//dbx/dbxupdate20200715_HP2013KEK.bin
Inserting key update /usr/share/hpe/secureboot//dbx/dbxupdate20200715_HP2013KEK.bin into dbx


# hexane.sh --test    Note: "New keys in filesystem" and not in DBX (insecure) . . . d2d3eb4abe615fbe688de3805ec200b83fa5988912f3b66ea8c5077968962deb from /usr/share/hpe/secureboot//dbx/dbxupdate20200715_HPE2016KEK.bin 9288e76794ac137234ef162f02397ff30e7f96f6037beddfd721e9ed6e0a014c from /usr/share/hpe/secureboot//dbx/dbxupdate20200715_HPE2016KEK.bin New keys in filesystem: /usr/share/hpe/secureboot//dbx/dbxupdate20200715_HPE2016KEK.bin /usr/share/hpe/secureboot//dbx/dbxupdate20200715_HP2013KEK.bin


# hexane.sh --test    Note: No "New keys in filesystem" (secure) . . . d2d3eb4abe615fbe688de3805ec200b83fa5988912f3b66ea8c5077968962deb from /usr/share/hpe/secureboot//dbx/dbxupdate20200715_HPE2016KEK.bin 9288e76794ac137234ef162f02397ff30e7f96f6037beddfd721e9ed6e0a014c from /usr/share/hpe/secureboot//dbx/dbxupdate20200715_HPE2016KEK.bin New keys in filesystem:





Hexane was derrived from Canonical's sbsigntools, and licensed on the GPL.

Contact