Update or view the UEFI Secure Boot forbidden signature list (dbx)
search cancel

Update or view the UEFI Secure Boot forbidden signature list (dbx)

book

Article ID: 313838

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

The UEFI revocation list file, available at https://uefi.org/revocationlistfile, contains the now-revoked signatures of previously approved and signed firmware and software used in booting systems with UEFI Secure Boot enabled. VMware has provided tools that customers can use to update the Secure Boot Forbidden Signature Database, dbx, on an ESXi Host with the contents of the latest revocation list.

Environment

VMware vSphere ESXi 7.0.x

Resolution

To update dbx, use /usr/lib/vmware/uefi/bin/updateDBX; to view the current contents of dbx or another signature database in human readable format, use /usr/lib/vmware/uefi/bin/parseDB. Running either tool without command line arguments prints usage instructions.

If your ESXi version does not include these tools in /usr/lib/vmware/uefi/bin, you can download them from UEFI Secure Boot DBX Tools . They work only on ESXi 7.0 and later.