I did some patching of BootHole over the weekend, and found that the Microsoft article describing the patch installation not only contained errors but also outlined no way of checking patch install success.
1. Check the system to see if the vulnerable certificate exists, if True then proceed to check for updated certs. From an administrative powershell session:
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Microsoft Corporation UEFI CA 2011’
2. Check to see if updated certs are installed. If False, proceed to patch:
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbx).bytes) -match ‘Canonical Ltd. Master Certificate Authority’
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbx).bytes) -match ‘Debian Secure Boot CA’
3. Get the patch to install:
Download the appropriate UEFI Revocation List File (Dbxupdate.bin) for your platform from https://uefi.org/revocationlistfile.
4. Enable TLS1.2 for this session, to ensure script downloads successfully (optional, come back to this if install-packageprovider fails). This TLS setting is session only, and will revert at session close.:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
5. Install NUGET:
Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
6. Install DBX file splitting SCRIPT:
Install-Script -Name SplitDbxContent
7. CD to the directory where the revocation list file is located, and run the script to split into BIN and P7 files:
SplitDbxContent.ps1 .\dbxupdate.bin
8. Install the new certs:
Set-SecureBootUefi -Name dbx -ContentFilePath .\content.bin -SignedFilePath .\signature.p7 -Time 2010-03-06T19:17:21Z -AppendWrite
9. Reboot and check for updated certs, should return True for both.
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbx).bytes) -match ‘Canonical Ltd. Master Certificate Authority’
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbx).bytes) -match ‘Debian Secure Boot CA’