Keeping UEFI Secure Boot DBX and CPU microcode up to date in CI pipelines can be
challenging, especially if you want to automate the process and stay in sync
with upstream security updates.
One approach we explored involved adding mechanisms for automatic DBX updates
(UEFI Secure Boot revocation lists) and CPU microcode refresh to CI workflows,
as described in this
blogpost. The goal was to
reduce manual steps when integrating updated DBX payloads and microcode
packages, while enabling early detection of regressions during firmware
validation.
By making these updates part of the reproducible build process, it becomes
easier to maintain supply-chain transparency and strengthen platform resilience
against known vulnerabilities.
pietrushnic•5h ago
One approach we explored involved adding mechanisms for automatic DBX updates (UEFI Secure Boot revocation lists) and CPU microcode refresh to CI workflows, as described in this blogpost. The goal was to reduce manual steps when integrating updated DBX payloads and microcode packages, while enabling early detection of regressions during firmware validation.
By making these updates part of the reproducible build process, it becomes easier to maintain supply-chain transparency and strengthen platform resilience against known vulnerabilities.
Presentation describing the implementation: https://cfp.3mdeb.com/developers-vpub-0xf-2025/talk/3KFCDR/