Finding the UEFI's DBX SVN number using PowerShell

[MOoD90s 0]

As part of the upcoming Secure Boot CA 2023 updates, you will not be able to roll back to an older Windows Boot Manager (without first disabling Secure Boot). To block older versions of the Boot Manager, a Secure Version Number (SVN) will be written to the UEFI's DBX variable. Any Boot Manager that doesn't meet the minimum SVN version in the DBX variable will be banned from booting once the feature has been enabled.

This guide is intended for advanced users, who need to confirm if their Secure Boot migrations have been completed.

How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932

• Apply the SVN update to the firmware.
  
  The Boot Manager deployed in Step 2 has a new self-revocation feature built-in. When the Boot Manager starts to run, it performs a self-check by comparing the Secure Version Number (SVN) that is stored in the firmware, with the SVN built into the Boot Manager. If the Boot Manager SVN is lower than the SVN stored in the firmware, the Boot Manager will refuse to run. This feature prevents an attacker from rolling back the Boot Manager to an older, non-updated version.
  
  In future updates, when a significant security issue is fixed in the Boot Manager, the SVN number will be incremented in both the Boot Manager and the update to the firmware. Both updates will be released in the same cumulative update to make sure that patched devices are protected. Each time the SVN is updated, any bootable media will need to be updated.
  
  Starting with the July 9, 2024, updates, the SVN is being incremented in the Boot Manager and the update to the firmware. The firmware update is optional and can be applied by following this step:
  1. Apply the SVN update to the firmware. To do this, open a Command Prompt window as an Administrator, type each of the following commands separately, and then press Enter:
     
     reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x200 /f
     Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

Click to expand...

Enterprise Deployment Guidance for CVE-2023-24932:

Mitigation 4: A method to confirm that the SVN setting has been applied does not yet exist. This section will be updated when a solution is available.

Click to expand...

After half a year, MS hasn't provided any solution for confirming your DBX SVN number (if it does exist).

So here's a PowerShell one-line command (run as Administrator) to report your DBX's Boot Manager SVN setting:

Code:

$DBXSVN=([Regex]::Matches((((Get-SecureBootUEFI dbx).Bytes |% { '{0:x2}' -f $_ }) -join ''),'01612b139dd5598843ab1c185c3cb2eb92...........')).Value | sort | select -last 1; if ($DBXSVN.Count) { '{0}.{1}' -f [int]::Parse($DBXSVN.Substring(36,4), [System.Globalization.NumberStyles]::HexNumber), [int]::Parse($DBXSVN.Substring(40,4), [System.Globalization.NumberStyles]::HexNumber) } else { 'No SVN.' }

7.0

Currently, the latest SVN enforced for the Boot Manager is 7.0, but you may see version 5.0 if you followed the MS guides. MS has not pushed out a newer DBXUpdateSVN.bin with Windows Update, but it's available on the Secure Boot Objects GitHub repo.

If you don't have a SVN number, then you have not followed the previous instructions (above).