[Feature]: Audit capability from dbx_info_msft_latest.json and history of DBX information.

[sei-vsarvepalli]

Feature Overview

It looks like the DBX has been through many iterations and recent once since BlackLotus and BatonDrop showing some significant changes in size and ways a binary can be in DBX list. In our audit we found a number of signatures that were removed but it is not clear how they were consolidated or resolved. Below is such a list of signature. I believe these differences will only to continue to get bigger with the anticipated roll out with the The Microsoft Corporation UEFI CA 2011 (for third-party apps) and Microsoft Corporation KEK CA 2011 (for database updates) both technically expire in June 2026.

[
    {
        "authenticodeHash": "363384D14D1F2E0B7815626484C459AD57A318EF4396266048D058C5A19BBF76",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "E6CA68E94146629AF03F69C2F86E6BEF62F930B37C6FBCC878B78DF98C0334E5",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "075EEA060589548BA060B2FEED10DA3C20C7FE9B17CD026B94E8A683B8115238",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "07E6C6A858646FB1EFC67903FE28B116011F2367FE92E6BE2B36999EFF39D09E",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "09DF5F4E511208EC78B96D12D08125FDB603868DE39F6F72927852599B659C26",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "0BBB4392DAAC7AB89B30A4AC657531B97BFAAB04F90B0DAFE5F9B6EB90A06374",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "0C189339762DF336AB3DD006A463DF715A39CFB0F492465C600E6C6BD7BD898C",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "0D0DBECA6F29ECA06F331A7D72E4884B12097FB348983A2A14A0D73F4F10140F",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "0DC9F3FB99962148C3CA833632758D3ED4FC8D0B0007B95B31E6528F2ACD5BFC",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "18333429FF0562ED9F97033E1148DCEEE52DBE2E496D5410B5CFD6C864D2D10F",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "2BBF2CA7B8F1D91F27EE52B6FB2A5DD049B85A2B9B529C5D6662068104B055F8",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "2C73D93325BA6DCBE589D4A4C63C5B935559EF92FBF050ED50C4E2085206F17D",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "306628FA5477305728BA4A467DE7D0387A54F569D3769FCE5E75EC89D28D1593",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "3608EDBAF5AD0F41A414A1777ABF2FAF5E670334675EC3995E6935829E0CAAD2",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "3841D221368D1583D75C0A02E62160394D6C4E0A6760B6F607B90362BC855B02",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "4397DACA839E7F63077CB50C92DF43BC2D2FB2A8F59F26FC7A0E4BD4D9751692",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "518831FE7382B514D03E15C621228B8AB65479BD0CBFA3C5C1D0F48D9C306135",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "5AE949EA8855EB93E439DBC65BDA2E42852C2FDF6789FA146736E3C3410F2B5C",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "6B1D138078E4418AA68DEB7BB35E066092CF479EEB8CE4CD12E7D072CCB42F66",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "6C8854478DD559E29351B826C06CB8BFEF2B94AD3538358772D193F82ED1CA11",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "6F1428FF71C9DB0ED5AF1F2E7BBFCBAB647CC265DDF5B293CDB626F50A3A785E",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "726B3EB654046A30F3F83D9B96CE03F670E9A806D1708A0371E62DC49D2C23C1",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "72E0BD1867CF5D9D56AB158ADF3BDDBC82BF32A8D8AA1D8C5E2F6DF29428D6D8",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "7827AF99362CFAF0717DADE4B1BFE0438AD171C15ADDC248B75BF8CAA44BB2C5",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "81A8B965BB84D3876B9429A95481CC955318CFAA1412D808C8A33BFD33FFF0E4",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "895A9785F617CA1D7ED44FC1A1470B71F3F1223862D9FF9DCC3AE2DF92163DAF",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "8BF434B49E00CCF71502A2CD900865CB01EC3B3DA03C35BE505FDF7BD563F521",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "9998D363C491BE16BD74BA10B94D9291001611736FDCA643A36664BC0F315A42",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "9E4A69173161682E55FDE8FEF560EB88EC1FFEDCAF04001F66C0CAF707B2B734",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "A6B5151F3655D3A2AF0D472759796BE4A4200E5495A7D869754C4848857408A7",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "A7F32F508D4EB0FEAD9A087EF94ED1BA0AEC5DE6F7EF6FF0A62B93BEDF5D458D",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "AD6826E1946D26D3EAF3685C88D97D85DE3B4DCB3D0EE2AE81C70560D13C5720",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "AFE2030AFB7D2CDA13F9FA333A02E34F6751AFEC11B010DBCD441FDF4C4002B3",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "B54F1EE636631FAD68058D3B0937031AC1B90CCB17062A391CCA68AFDBE40D55",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "B8F078D983A24AC433216393883514CD932C33AF18E7DD70884C8235F4275736",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "B97A0889059C035FF1D54B6DB53B11B9766668D9F955247C028B2837D7A04CD9",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "BC87A668E81966489CB508EE805183C19E6ACD24CF17799CA062D2E384DA0EA7",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "CB6B858B40D3A098765815B592C1514A49604FAFD60819DA88D7A76E9778FEF7",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "CE3BFABE59D67CE8AC8DFD4A16F7C43EF9C224513FBC655957D735FA29F540CE",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "D8CBEB9735F5672B367E4F96CDC74969615D17074AE96C724D42CE0216F8F3FA",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "E92C22EB3B5642D65C1EC2CAF247D2594738EEBB7FB3841A44956F59E2B0D1FA",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "FDDD6E3D29EA84C7743DAD4A1BDBC700B5FEC1B391F932409086ACC71DD6DBD8",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "FE63A84F782CC9D3FCF2CCF9FC11FBD03760878758D26285ED12669BDC6E6D01",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "FECFB232D12E994B6D485D2C7167728AA5525984AD5CA61E7516221F079A1436",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "CA171D614A8D7E121C93948CD0FE55D39981F9D11AA96E03450A415227C2C65B",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "55B99B0DE53DBCFE485AA9C737CF3FB616EF3D91FAB599AA7CAB19EDA763B5BA",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "77DD190FA30D88FF5E3B011A0AE61E6209780C130B535ECB87E6F0888A0B6B2F",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "C83CB13922AD99F560744675DD37CC94DCAD5A1FCBA6472FEE341171D939E884",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "3B0287533E0CC3D0EC1AA823CBF0A941AAD8721579D1C499802DD1C3A636B8A9",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    },
    {
        "authenticodeHash": "939AEEF4F5FA51E23340C3F2E49048CE8872526AFDF752C3A7F3A3F2BC9F6049",
        "signingAuthorityHash": "77FA9ABD-0359-4D32-BD60-28F4E78F784B"
    }
]

Solution Overview

Ideally a DBX history json say dbx_removed.json or dbx_consolidated.json file is created that shows the removed signatures and their replacement. The schema could be something like below.

{
  "$schema": "http://json-schema.org/draft-07/schema#",
  "title": "Secure Boot DBX Removed Hashes",
  "description": "Metadata describing authenticode hashes removed from the Microsoft Secure Boot forbidden signature database (DBX).",
  "type": "object",
  "properties": {
    "schemaVersion": {
      "type": "string",
      "description": "Version of this metadata schema."
    },
    "lastUpdated": {
      "type": "string",
      "format": "date",
      "description": "Date the file was last updated."
    },
    "removedEntries": {
      "type": "array",
      "items": {
        "$ref": "#/definitions/removedEntry"
      }
    }
  },
  "required": [
    "schemaVersion",
    "removedEntries"
  ],
  "definitions": {
    "removedEntry": {
      "type": "object",
      "properties": {
        "authenticodeHash": {
          "type": "string",
          "pattern": "^[A-Fa-f0-9]{64}$",
          "description": "SHA256 Authenticode hash previously present in DBX."
        },
        "hashAlgorithm": {
          "type": "string",
          "enum": ["SHA256", "SHA1"],
          "description": "Hash algorithm used."
        },
        "dateAddedToDbx": {
          "type": "string",
          "format": "date",
          "description": "Date the hash was originally added to DBX."
        },
        "dateRemovedFromDbx": {
          "type": "string",
          "format": "date",
          "description": "Date the hash was removed from DBX."
        },
        "removalReason": {
          "type": "string",
          "enum": [
            "ConsolidatedIntoCertificate",
            "SupersededByNewRevocation",
            "ErroneousEntry",
            "Duplicate",
            "Other"
          ]
        },
        "signingAuthority": {
          "type": "string",
          "description": "Subject name of the certificate that signed the original EFI binary."
        },
        "consolidatedSignature": {
          "type": "string",
          "description": "Replacement revocation entry (hash, certificate thumbprint, or other signature identifier)."
        },
        "consolidatedSigningAuthority": {
          "type": "string",
          "description": "Certificate or authority responsible for the consolidated revocation."
        },
        "notes": {
          "type": "string",
          "description": "Optional human-readable explanation for the consolidation or removal."
        },
        "reference": {
          "type": "string",
          "description": "Optional link to advisory, CVE, or commit explaining the change."
        }
      },
      "required": [
        "authenticodeHash",
        "dateRemovedFromDbx",
        "signingAuthority"
      ]
    }
  }
}

the example ever growing DBX removed file will look something like below:

{
  "schemaVersion": "1.0",
  "lastUpdated": "2026-07-01",
  "removedBinaryCount": 55, 
  "removedEntries": [
    {
      "authenticodeHash": "939aeef4f5fa51e23340c3f2e49048ce8872526afdf752c3a7f3a3f2bc9f6049",
      "flatHash": "413B6134EB5F02E08A70D30097C266A75FFE20EDF0DE1F034121C502727DE934",
      "hashAlgorithm": "SHA256",
      "dateAddedToDbx": "2022-08-09",
      "dateRemovedFromDbx": "2026-06-15",
      "removalReason": "ConsolidatedIntoCertificate",
      "signingAuthority": "Microsoft Corporation UEFI CA 2011",
      "consolidatedSignature": "‎3A:5F:89:21:6E:9C:3C:4A:2F:91:AA:91:BB:82:44:CC:55:10:AB:DD",
      "consolidatedSigningAuthority": "Microsoft Windows Production PCA 2011",
      "notes": "Hash removed after certificate-level revocation added to DBX to block the entire signing chain.",
      "reference": "https://github.com/microsoft/secureboot_objects/pull/XYZ"
    }
  ]
}

### Alternatives Considered

This is one possible proposal but there may be other ways of solving this. Ultimately the feature being pursues is that auditing of these DBX signatures should not be obscure. Any removal or addition will be visible and provide transparency to other projects such as LVFS or whatever SecureBoot supporting systems that would like to support Microsoft signed DBX inherently. Many EDR and third-party EDR can also benefit from visibility into UEFI.

 

### Urgency

Medium

### Are you going to implement the feature request?

Someone else needs to implement the feature

### Do you need maintainer feedback?

Maintainer feedback requested

### Anything else?

I am happy to support any way to help make this feature available to reduce the risk of BYOVD motif transferring to UEFI. The online `Microsoft Vulnerable Driver Blocklist` today attempts to address this issue for the higher OS targeting BYOVD attacks.