sbctl icon indicating copy to clipboard operation
sbctl copied to clipboard
verified publisher icon Foxboron

foresight / warning: Microsoft certificates from 2011 will probably be replaced by certs from 2023.

Open conrad-heimbold opened this issue 2 years ago • 13 comments

In the future, the Microsoft certificate:

  • MicWinProPCA2011_2011-10-19.crt (also available from https://go.microsoft.com/fwlink/?LinkId=321192 ) will probably be replaced by "Windows UEFI CA 2023" (https://go.microsoft.com/fwlink/p/?linkid=2239776 ), which I will call "MicWinUEFICA2023.crt.base64" in the following; and
  • MicCorKEKCA2011_2011-06-24.crt (also available from https://go.microsoft.com/fwlink/p/?linkid=321185 ) will probably be replaced by "Microsoft Corporation KEK 2K CA 2023" (https://go.microsoft.com/fwlink/p/?linkid=2239775 ), which I will call "MicCorKEK2KCA2023.crt.base64" in the following.

... if I understand the "Windows Secure Boot Key Creation and Management Guidance", Chapter "1.5 Keys Required for Secure Boot on all PCs" correctly . This is just my assumption, based on the year number (2023) .

The older certificates from 2011 are in raw binary format; the linked newer ones from 2023 however are in base64-encoded binary format. That's the reason why I added the ".base64" ending. So to make them usable and to have them in the same format as the older ones, we have to decode them:

base64 --decode MicWinUEFICA2023.crt.base64 > MicWinUEFICA2023.crt
base64 --decode MicCorKEK2KCA2023.crt.base64 > MicCorKEK2KCA2023.crt

Can anybody check if their freshly installed Windows 11 bootmgfw.efi in its newest version has a signature from the 2011 certs or from the 2023 certs?

This is just a foresight for the future; I hope it might help.

Thank you in advance for your help and work!

conrad-heimbold avatar Aug 07 '23 21:08 conrad-heimbold

It's a bit more complicated.

There are also going to be several new certs so you can use different certs for OpROM and Linux distros and so on. This will be implemented when it becomes relevant.

Foxboron avatar Aug 11 '23 12:08 Foxboron

There are also going to be several new certs so you can use different certs for OpROM and Linux distros and so on. This will be implemented when it becomes relevant.

I think it's best to get these into sbctl now, rather then later. Or someone is gonna enroll keys with --microsoft on some new device with drivers that are signed only with the new certificates and find themselves with an expensive paperweight.

According to https://github.com/systemd/systemd/pull/29104#pullrequestreview-1613512459, you're supposed to have old and new key installed both now.

medhefgo avatar Sep 06 '23 15:09 medhefgo

According to https://github.com/systemd/systemd/pull/29104#pullrequestreview-1613512459, you're supposed to have old and new key installed both now.

I missed that memo, can probably take a look at it soon'ish.

Foxboron avatar Sep 07 '23 06:09 Foxboron

@conrad-heimbold Hey! We saw your issue and we updated the certificates to DER format (just with a .crt extension)! As of right now the only thing the 2023 Windows production CA has signed is a UEFI Testing Application. We're working with our partners to make sure db append actually appends.

Flickdm avatar Sep 11 '23 22:09 Flickdm

@Flickdm Microsoft Corporation KEK 2K CA 2023 is still base64.

medhefgo avatar Sep 12 '23 05:09 medhefgo

Thanks for letting me know! I'm bringing it up internally!

Flickdm avatar Sep 13 '23 21:09 Flickdm

Just checked, the linked KEK is now der encoded as well!

Flickdm avatar Sep 30 '23 00:09 Flickdm

@Flickdm Thanks for fixing this :)

Foxboron avatar Sep 30 '23 10:09 Foxboron

https://techcommunity.microsoft.com/t5/windows-it-pro-blog/updating-microsoft-secure-boot-keys/ba-p/4055324

Should implement this soon :)

Foxboron avatar Feb 16 '24 11:02 Foxboron