missing UEFI DB / KEK entries

[conitrade-as]

In a production environment (XCP-ng 8.2.1) the secure boot changes according to KB5025885 were implemented on a Windows Server 2019 VM (this changed the VM DB and KEK). After the changes were completed, the VM got live migrated from one pool node to the other without a reboot.

For some reason, this seems to have cleared the Secure Boot state of the VM and probably applied the pool's default entries again. Because a subsequent reboot landed the VM in the UEFI shell (XO reported VM_SECURE_BOOT_FAILED: The VM failed to pass Secure Boot verification). After hours of debugging this makes sense, since the new Windows bootloader is signed by a certificate that XCP-ng does not know about.

Turns out, that adding the UEFI 2023 certificates seems to fix the problem. Adding the certificates to the XCP-ng "Default UEFI Certificates" could look something like this:

diff secureboot-certs /usr/sbin/secureboot-certs
80a81,83
>     WINDOWS_CA_2023 = "https://www.microsoft.com/pkiops/certs/windows%20uefi%20ca%202023.crt"
>     MICROSOFT_CA_2023 = "https://www.microsoft.com/pkiops/certs/microsoft%20uefi%20ca%202023.crt"
>     MICROSOFT_KEK_2023 = "https://www.microsoft.com/pkiops/certs/microsoft%20corporation%20kek%202k%20ca%202023.crt"
252a256
>     msft_kek_2023 = download(Urls.MICROSOFT_KEK_2023, user_agent=user_agent)
254c258,263
<         signing_key, signing_crt, "KEK", signing_crt, convert_der_to_pem(msft_kek)
---
>         signing_key,
>         signing_crt,
>         "KEK",
>         signing_crt,
>         convert_der_to_pem(msft_kek),
>         convert_der_to_pem(msft_kek_2023),
263a273,274
>     win_ca_2023 = download(Urls.WINDOWS_CA_2023, user_agent=user_agent)
>     msft_ca_2023 = download(Urls.MICROSOFT_CA_2023, user_agent=user_agent)
269a281,282
>         convert_der_to_pem(win_ca_2023),
>         convert_der_to_pem(msft_ca_2023),
877a891
> 

If this is indeed the solution, I am more than happy to contribute a short PR for this.

References

• https://xcp-ng.org/docs/guides.html#guest-uefi-secure-boot
• https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d
• https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance?view=windows-11

[stormi]

Thanks for this detailed report. Does using the new certs still allow booting older versions of Windows which haven't had the security update?