Rairii, decided to throw securebootai.dll (from latest germanium build) into IDA, was not disappointed
there's a list of systems where db/dbx updates aren't attempted, that being:
- any (amd64) apple system (those with secure boot just hardcodes db/dbx, without the ability to update it, right?)
- fujitsu FJNBB38
- a big list of HP systems: 83D5, 83DA, 83DD, 83E7, 83E8, 83E9, 8401, 8460, 8461, 8462, 8463, 8464, 8584, 8589, 8617, 8618, 8619, 8620, 869B, 86A3, 86A5, 86A8, 870B, 870C, 870F, 8710, 8711, 8712, 8713, 8714, 8715, 8717, 8718, 8719, 871A, 871B, 871C, 8723, 8724, 8725, 872B, 872C, 872D, 872E, 8736, 874D, 874E, 874F, 8750, 8751, 8752, 8753, 8754, 8755, 8760, 876D, 8779, 877D, 8780, 8783, 87EC, 880F, 8810, 882C, 882D, 8830, 8835, 8836, 885C, 887E
- and any HP system where its custom protection against performing db/dbx updates is enabled
also:
the file doesn't exist right now, but there's code (behind a registry(?) flag) to apply "dbxupdate2024.bin", and debug strings imply that would revoke the PCA 2011 cert entirely!(GetSecureBootUpdateFilePathPCA2011RevokeDBX)
i expected that to be done, but only on new systems, fun (given that it's behind a flag it may well happen only on new systems)