Printable version

Drivers & software

* RECOMMENDED * UEFI Shell DBX Updater

By downloading, you agree to the terms and conditions of the Hewlett Packard Enterprise Software License Agreement.
Note:  Some software requires a valid warranty, current Hewlett Packard Enterprise support contract, or a license fee.

Type: Utility - Tools
Version: 1.0(3 Sep 2020)
Operating System(s): OS Independent
File name: HpeDbxAppend.zip (31 KB)
Tool used for updating the UEFI Secure Boot DBX on HPE systems and can be run from the EFI shell.

Upgrade Requirement:
Recommended - HPE recommends users update to this version at their earliest convenience.


Tool for updating the UEFI Secure Boot DBX on HPE systems.

To ensure the integrity of your download, HPE recommends verifying your results with this SHA-256 Checksum value:

b345d739175607fed6d680476ebc0776062b874fdba572f8965b5590f68d9add HpeDbxAppend.zip

Reboot Requirement:
Reboot is optional after installation. Updates will be effective after reboot. Hardware stability will be maintained without reboot.


Installation:

The files in the Zip are for updating the UEFI Secure Boot DBX on HPE systems. They can be run from the EFI shell.  The files are as follows:

 

- UpdateDbxScript.nsh
This is an EFI shell script which applies the DBX update included on HPE systems by attempting to apply the secure variable update signed wih the HP 2013 KEK and then attempting to apply the same update signed with the HPE 2016 KEK.

 

- HpeDbxAppend.efi
This is the EFI application that can take a signed variable update for the Secure Boot DBX and apply it.  The usage is "HpeDbxAppend.efi -f [filename]" where filename is the name of the signed DBX variable update binary.

 

- dbxupdateHPKEK2013.bin
This is the current DBX update for HPE systems signed with the HP 2013 KEK which was used in products previously.

 

- dbxupdateHPEKEK2016.bin
This is the current DBX update for HPE systems signed with the HPE 2016 KEK which is used in current products.

 

To apply the included DBX updates to an HPE server, place the files on the EFI system partition or on some other media attached to the server.  Boot to the EFI shell via System Utilities or any other method.  Run the UpdateDbxScript.nsh shell script.  The script will attempt to apply both update files. As a result of this update the expected behaviour is that one file will pass and the other will fail depending on which Key Encryption Key (KEK) is in the UEFI Secure Boot database of the server.

The files to be installed are signed by HPE and are verified by UEFI Secure Boot as part of the update process.

Note: If Shell Script Verification is supported and enabled on the server, the UpdateDbxScript.nsh will need to be enrolled before it can be run.  Follow the product documentation to enroll the script if necessary.

 


End User License Agreements:
HPE Software License Agreement v1


Upgrade Requirement:
Recommended - HPE recommends users update to this version at their earliest convenience.


Important:

HPE requires users to update to DBX immediately.

 

IMPORTANT:

The Secure Boot DBX Updater Tools for Linux, Windows and UEFI environments will invalidate all vulnerable GRUB2 bootloaders, including Synergy Custom SPP 2020.07.01 (or earlier) that do not contain a fix for CVE-2020-15705. Synergy customers SHOULD NOT update with the Secure Boot DBX Updater Tools until the new Synergy Custom SPP (containing the fix for CVE-2020-15705) becomes available. For additional information, reference the following Customer Bulletin on HPE Support Center:

HPE ​Synergy ​Custom ​SPP ​- ​Synergy ​Custom ​SPP ​Version ​2020.07.01 ​(or ​earlier) ​Will ​Not ​Boot ​if ​System ​Is ​Updated ​with ​Latest ​Version ​of ​Intelligent ​Provisioning ​or ​DBX ​Updater ​Tools

 

NOTE:

  • For additional information regarding the ​​Secure ​Boot ​DBX ​Updater Tools ​for ​Linux, ​Windows ​and ​UEFI environments, reference the following Customer Bulletin on HPE Support Center: 

GRUB2 (aka BootHole) Vulnerabilites - CRITICAL UPDATE Secure Boot DBX Updater for Linux, Windows and UEFI

 

  • Older boot environments from HPE will no longer boot with Secure Boot enabled after the system DBX is updated. This includes old versions of Intelligent Provisioning, Service Pack for ProLiant and Scripting Tool Kit.

HPE requires users to update to DBX immediately.

 

IMPORTANT:

The Secure Boot DBX Updater Tools for Linux, Windows and UEFI environments will invalidate all vulnerable GRUB2 bootloaders, including Synergy Custom SPP 2020.07.01 (or earlier) that do not contain a fix for CVE-2020-15705. Synergy customers SHOULD NOT update with the Secure Boot DBX Updater Tools until the new Synergy Custom SPP (containing the fix for CVE-2020-15705) becomes available. For additional information, reference the following Customer Bulletin on HPE Support Center:

HPE ​Synergy ​Custom ​SPP ​- ​Synergy ​Custom ​SPP ​Version ​2020.07.01 ​(or ​earlier) ​Will ​Not ​Boot ​if ​System ​Is ​Updated ​with ​Latest ​Version ​of ​Intelligent ​Provisioning ​or ​DBX ​Updater ​Tools

 

NOTE:

  • For additional information regarding the ​​Secure ​Boot ​DBX ​Updater Tools ​for ​Linux, ​Windows ​and ​UEFI environments, reference the following Customer Bulletin on HPE Support Center: 

GRUB2 (aka BootHole) Vulnerabilites - CRITICAL UPDATE Secure Boot DBX Updater for Linux, Windows and UEFI

 

  • Older boot environments from HPE will no longer boot with Secure Boot enabled after the system DBX is updated. This includes old versions of Intelligent Provisioning, Service Pack for ProLiant and Scripting Tool Kit.
Version:1.0 (3 Sep 2020)
Enhancements

Upgrade Requirement:
Recommended - HPE recommends users update to this version at their earliest convenience.


Tool for updating the UEFI Secure Boot DBX on HPE systems.


Type: Utility - Tools
Version: 1.0(3 Sep 2020)
Operating System(s):
OS Independent

Description

Tool used for updating the UEFI Secure Boot DBX on HPE systems and can be run from the EFI shell.

Enhancements

Upgrade Requirement:
Recommended - HPE recommends users update to this version at their earliest convenience.


Tool for updating the UEFI Secure Boot DBX on HPE systems.

Installation Instructions

To ensure the integrity of your download, HPE recommends verifying your results with this SHA-256 Checksum value:

b345d739175607fed6d680476ebc0776062b874fdba572f8965b5590f68d9add HpeDbxAppend.zip

Reboot Requirement:
Reboot is optional after installation. Updates will be effective after reboot. Hardware stability will be maintained without reboot.


Installation:

The files in the Zip are for updating the UEFI Secure Boot DBX on HPE systems. They can be run from the EFI shell.  The files are as follows:

 

- UpdateDbxScript.nsh
This is an EFI shell script which applies the DBX update included on HPE systems by attempting to apply the secure variable update signed wih the HP 2013 KEK and then attempting to apply the same update signed with the HPE 2016 KEK.

 

- HpeDbxAppend.efi
This is the EFI application that can take a signed variable update for the Secure Boot DBX and apply it.  The usage is "HpeDbxAppend.efi -f [filename]" where filename is the name of the signed DBX variable update binary.

 

- dbxupdateHPKEK2013.bin
This is the current DBX update for HPE systems signed with the HP 2013 KEK which was used in products previously.

 

- dbxupdateHPEKEK2016.bin
This is the current DBX update for HPE systems signed with the HPE 2016 KEK which is used in current products.

 

To apply the included DBX updates to an HPE server, place the files on the EFI system partition or on some other media attached to the server.  Boot to the EFI shell via System Utilities or any other method.  Run the UpdateDbxScript.nsh shell script.  The script will attempt to apply both update files. As a result of this update the expected behaviour is that one file will pass and the other will fail depending on which Key Encryption Key (KEK) is in the UEFI Secure Boot database of the server.

The files to be installed are signed by HPE and are verified by UEFI Secure Boot as part of the update process.

Note: If Shell Script Verification is supported and enabled on the server, the UpdateDbxScript.nsh will need to be enrolled before it can be run.  Follow the product documentation to enroll the script if necessary.

 


Release Notes

End User License Agreements:
HPE Software License Agreement v1


Upgrade Requirement:
Recommended - HPE recommends users update to this version at their earliest convenience.


Important:

HPE requires users to update to DBX immediately.

 

IMPORTANT:

The Secure Boot DBX Updater Tools for Linux, Windows and UEFI environments will invalidate all vulnerable GRUB2 bootloaders, including Synergy Custom SPP 2020.07.01 (or earlier) that do not contain a fix for CVE-2020-15705. Synergy customers SHOULD NOT update with the Secure Boot DBX Updater Tools until the new Synergy Custom SPP (containing the fix for CVE-2020-15705) becomes available. For additional information, reference the following Customer Bulletin on HPE Support Center:

HPE ​Synergy ​Custom ​SPP ​- ​Synergy ​Custom ​SPP ​Version ​2020.07.01 ​(or ​earlier) ​Will ​Not ​Boot ​if ​System ​Is ​Updated ​with ​Latest ​Version ​of ​Intelligent ​Provisioning ​or ​DBX ​Updater ​Tools

 

NOTE:

  • For additional information regarding the ​​Secure ​Boot ​DBX ​Updater Tools ​for ​Linux, ​Windows ​and ​UEFI environments, reference the following Customer Bulletin on HPE Support Center: 

GRUB2 (aka BootHole) Vulnerabilites - CRITICAL UPDATE Secure Boot DBX Updater for Linux, Windows and UEFI

 

  • Older boot environments from HPE will no longer boot with Secure Boot enabled after the system DBX is updated. This includes old versions of Intelligent Provisioning, Service Pack for ProLiant and Scripting Tool Kit.

Important

HPE requires users to update to DBX immediately.

 

IMPORTANT:

The Secure Boot DBX Updater Tools for Linux, Windows and UEFI environments will invalidate all vulnerable GRUB2 bootloaders, including Synergy Custom SPP 2020.07.01 (or earlier) that do not contain a fix for CVE-2020-15705. Synergy customers SHOULD NOT update with the Secure Boot DBX Updater Tools until the new Synergy Custom SPP (containing the fix for CVE-2020-15705) becomes available. For additional information, reference the following Customer Bulletin on HPE Support Center:

HPE ​Synergy ​Custom ​SPP ​- ​Synergy ​Custom ​SPP ​Version ​2020.07.01 ​(or ​earlier) ​Will ​Not ​Boot ​if ​System ​Is ​Updated ​with ​Latest ​Version ​of ​Intelligent ​Provisioning ​or ​DBX ​Updater ​Tools

 

NOTE:

  • For additional information regarding the ​​Secure ​Boot ​DBX ​Updater Tools ​for ​Linux, ​Windows ​and ​UEFI environments, reference the following Customer Bulletin on HPE Support Center: 

GRUB2 (aka BootHole) Vulnerabilites - CRITICAL UPDATE Secure Boot DBX Updater for Linux, Windows and UEFI

 

  • Older boot environments from HPE will no longer boot with Secure Boot enabled after the system DBX is updated. This includes old versions of Intelligent Provisioning, Service Pack for ProLiant and Scripting Tool Kit.

Revision History

Version:1.0 (3 Sep 2020)
Enhancements

Upgrade Requirement:
Recommended - HPE recommends users update to this version at their earliest convenience.


Tool for updating the UEFI Secure Boot DBX on HPE systems.


Legal Disclaimer: Products sold prior to the November 1, 2015 separation of Hewlett-Packard Company into Hewlett Packard Enterprise Company and HP Inc. may have older product names and model numbers that differ from current models.