Software Delivery Repository

Software Delivery Repository   |   Getting Started   |   FAQ  |  Repositories

Hexane Secure Boot DBX updater for Linux

The HPE hexane package will update your HPE server's DBX Secure Boot database to include forbidden hashes and keys from HPE. From time to time, vulnerabilities are discovered in bootloaders, kernels and efi executables. Updating your server's DBX database ensures this compromised code can never boot.


Keep in mind that older boot environments from HPE will no longer boot with Secure Boot enabled after the system DBX is updated. This includes old versions of the



NOTICE: Through mid August 2020, the above products are being rebuilt and tested to patch the grub2 BootHole (CVE-2020-10713) and insmod (CVE-2020-7205) vulnerabilities. DO NOT UPDATE YOUR HARDWARE'S DBX (forbidden signatures database) if you plan on using the above products with secure-boot enabled during this period. The current version of hexane/DBX forbids boothole/insmod vulnerable products from HPE (and only HPE) from loading.


If Secure Boot is disabled (less secure) on your HPE server, updating the DBX (secureboot forbidden signature database) has no effect, and this update is not necessary.


Usage


hexane.sh   [options]
    --test  Compare system DBX with hashes provided by this version of hexane
    --flash  Update DBX with hashes/keys provided in /usr/share/hpe/secureboot/dbx
    --help  More information about HPE DBX updates.



  Browse


Subscribe RPM-based systems to the hexane repository

Cut-n-paste the following section (substituting distribution, architecture and project version) into /etc/yum.repos.d/hexane.repo (RedHat) or /etc/zypper.repos.d/hexane.repo (SUSE) on your system:


[hexane]
name=Hexane DBX updater
baseurl=http://downloads.linux.hpe.com/repo/hexane/dist/dist_ver/x86_64/current/
enabled=1
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-hexane


Where:

   dist          RedHat, SUSE 
   dist_ver      8, 7, 12, 15
        


Subscribe Deb-based systems to the hexane repository

Cut-n-paste the following section (substituting distribution, architecture and project version) into /etc/apt/sources.list.d/hexane.list on your system:


# HPE Hexane DBX updater
deb http://downloads.linux.hpe.com/SDR/repo/hexane dist/current contrib


Where:

   dist             bionic, buster
        


Install the HPE public gpg key

apt-key add https://downloads.linux.hpe.com/SDR/hpePublicKey2048_key1.pub


Update the local apt indexes

# apt-get update


Install a Hexane

# apt-get install hexane



Customer requested features and tips


Set export HEXANE_FLASH=true to update the system DBX as the rpm/deb package installs.



Examples


# hexane.sh --flash   Note: Last line "Inserting key update" (success)
.
.
.
    87e51b556514e8a74476c38e728c6ee000d0d8f52e5b5a81ccbb25e5a016f54a
     from /usr/share/hpe/secureboot//dbx/dbxupdate20200715_HPE2016KEK.bin
    d2d3eb4abe615fbe688de3805ec200b83fa5988912f3b66ea8c5077968962deb
     from /usr/share/hpe/secureboot//dbx/dbxupdate20200715_HPE2016KEK.bin
    9288e76794ac137234ef162f02397ff30e7f96f6037beddfd721e9ed6e0a014c
     from /usr/share/hpe/secureboot//dbx/dbxupdate20200715_HPE2016KEK.bin
New keys in filesystem:
 /usr/share/hpe/secureboot//dbx/dbxupdate20200715_HP2013KEK.bin
Inserting key update /usr/share/hpe/secureboot//dbx/dbxupdate20200715_HP2013KEK.bin into dbx


# hexane.sh --test    Note: "New keys in filesystem" and not in DBX (insecure) . . . d2d3eb4abe615fbe688de3805ec200b83fa5988912f3b66ea8c5077968962deb from /usr/share/hpe/secureboot//dbx/dbxupdate20200715_HPE2016KEK.bin 9288e76794ac137234ef162f02397ff30e7f96f6037beddfd721e9ed6e0a014c from /usr/share/hpe/secureboot//dbx/dbxupdate20200715_HPE2016KEK.bin New keys in filesystem: /usr/share/hpe/secureboot//dbx/dbxupdate20200715_HPE2016KEK.bin /usr/share/hpe/secureboot//dbx/dbxupdate20200715_HP2013KEK.bin


# hexane.sh --test    Note: No "New keys in filesystem" (secure) . . . d2d3eb4abe615fbe688de3805ec200b83fa5988912f3b66ea8c5077968962deb from /usr/share/hpe/secureboot//dbx/dbxupdate20200715_HPE2016KEK.bin 9288e76794ac137234ef162f02397ff30e7f96f6037beddfd721e9ed6e0a014c from /usr/share/hpe/secureboot//dbx/dbxupdate20200715_HPE2016KEK.bin New keys in filesystem:


Contact