foresight / warning: Microsoft certificates from 2011 will probably be replaced by certs from 2023.

[conrad-heimbold]

In the future, the Microsoft certificate:

• MicWinProPCA2011_2011-10-19.crt (also available from https://go.microsoft.com/fwlink/?LinkId=321192 ) will probably be replaced by "Windows UEFI CA 2023" (https://go.microsoft.com/fwlink/p/?linkid=2239776 ), which I will call "MicWinUEFICA2023.crt.base64" in the following; and
• MicCorKEKCA2011_2011-06-24.crt (also available from https://go.microsoft.com/fwlink/p/?linkid=321185 ) will probably be replaced by "Microsoft Corporation KEK 2K CA 2023" (https://go.microsoft.com/fwlink/p/?linkid=2239775 ), which I will call "MicCorKEK2KCA2023.crt.base64" in the following.

... if I understand the "Windows Secure Boot Key Creation and Management Guidance", Chapter "1.5 Keys Required for Secure Boot on all PCs" correctly . This is just my assumption, based on the year number (2023) .

The older certificates from 2011 are in raw binary format; the linked newer ones from 2023 however are in base64-encoded binary format. That's the reason why I added the ".base64" ending. So to make them usable and to have them in the same format as the older ones, we have to decode them:

base64 --decode MicWinUEFICA2023.crt.base64 > MicWinUEFICA2023.crt
base64 --decode MicCorKEK2KCA2023.crt.base64 > MicCorKEK2KCA2023.crt

Can anybody check if their freshly installed Windows 11 bootmgfw.efi in its newest version has a signature from the 2011 certs or from the 2023 certs?

This is just a foresight for the future; I hope it might help.

Thank you in advance for your help and work!

[Foxboron]

It's a bit more complicated.

There are also going to be several new certs so you can use different certs for OpROM and Linux distros and so on. This will be implemented when it becomes relevant.

[medhefgo]

There are also going to be several new certs so you can use different certs for OpROM and Linux distros and so on. This will be implemented when it becomes relevant.

I think it's best to get these into sbctl now, rather then later. Or someone is gonna enroll keys with --microsoft on some new device with drivers that are signed only with the new certificates and find themselves with an expensive paperweight.

According to https://github.com/systemd/systemd/pull/29104#pullrequestreview-1613512459, you're supposed to have old and new key installed both now.

[Foxboron]

According to https://github.com/systemd/systemd/pull/29104#pullrequestreview-1613512459, you're supposed to have old and new key installed both now.

I missed that memo, can probably take a look at it soon'ish.

[Flickdm]

@conrad-heimbold Hey! We saw your issue and we updated the certificates to DER format (just with a .crt extension)! As of right now the only thing the 2023 Windows production CA has signed is a UEFI Testing Application. We're working with our partners to make sure db append actually appends.

[medhefgo]

@Flickdm Microsoft Corporation KEK 2K CA 2023 is still base64.

[Flickdm]

Thanks for letting me know! I'm bringing it up internally!

[Flickdm]

Just checked, the linked KEK is now der encoded as well!

[Foxboron]

@Flickdm Thanks for fixing this :)

[Foxboron]

https://techcommunity.microsoft.com/t5/windows-it-pro-blog/updating-microsoft-secure-boot-keys/ba-p/4055324

Should implement this soon :)