Secure Boot - Usage of blacklist DB

Question

I have been reading up on the details of Secure Boot, in particular the authorized and forbidden databases:

Before enabling UEFI Secure Boot (by setting the PK) the white and black lists DB & DBX must be set up with authorized and forbidden certificates and signatures. Recall that DB contains authorized signing certificates and images while DBX contains blocked signing certificates and images.

The above is from http://gschwinds.net/cache/SigningUEFIImages-1.31.pdf

What is the point of having the black list DB when we have a white list DB already? If a certificate/signature is found to be comprised, wouldn't just removing it from the white list be enough? Am I missing something here as the black list DB of comprised signatures/certificates just seems redundant to me.

Answer 1

I believe that it is designed this way to circumvent technological limitations. Remember that the BIOS is written in a low-level programming language (Assembly or C), which are not object-oriented obviously. As such, assigning attributes to a signature or certificate that determine whether it is black- or white-listed is not an option. You can not just put them all together in a single 'database' (array, register) - there's no context. The only way to determine whether a signature/certificate is black or whitelisted, is based on the 'database' it is stored in.

That being said, there's still no clear need for two separate databases: you can block everything that is not in the whitelisted database - right? However, look at the below UEFI Secure Boot algorithm to determine whether an image shall be loaded or not (copied from the paper you referenced). You can see that an image which is signed with an authorised (whitelisted) certificate can still be denied if its specific signature is blacklisted... That is not something you could have accomplished by having only a whitelist and blocking everything that is not explicitly in there.