Microsoft, in collaboration with our ecosystem partners, is preparing to roll out replacement certificates that’ll set new Unified Extensible Firmware Interface (UEFI) Certificate Authorities (CAs) trust anchors in Secure Boot for the future. Look out for Secure Boot database updates rolling out in phases to add trust for the new database (DB) and Key Exchange Key (KEK) certificates. This new DB update is available as an optional servicing update for all Secure Boot enabled devices from February 13, 2024.
↫ SochiOgbuanya
This update will replace the Windows 8-era certificates, set to expire in 2026, with new ones.
I wonder if there were any keys signed with the old certificates that will not be signed with the new updated ones? If so, that could cause boot failures.
I had an x86 laptop where I was unable to disable secure boot and could only boot operating systems signed by microsoft. Thankfully most x86 manufacturers still let owners disable secure boot because that was a huge problem.
I wonder too if one will be able to update the certificate without using Windows at all. Imagine someone who runs Ubuntu or Red Hat with secure boot enabled using one of those distros’ keys, will those keys need to be updated as well? Will Microsoft be willing to work with the distros that support secure boot?
And perhaps more importantly for distros and OSes that *don’t* use secure boot: Will these updated keys now require secure boot to remain enabled in order for the computer to boot at all? That was a widespread fear when secure boot was first announced, that Microsoft was going to force OEMs and mainboard manufacturers to never allow the user to turn off secure boot and therefore never allow them to run alternative OSes, but that fear never panned out. Even Microsoft’s own hardware like the Surface laptops can disable secure boot and run whatever the user wants. I just wonder if this updated certificate will bring with it stricter controls as well. It’s not clear from the article if that is the case.
Morgan,
With windows 8 requirements, MS OEM agreements required users be allowed to turn it off. They did this to quell public concerns. However with windows 10 MS retracted the requirement that owners have control over secure boot. I’ve only seen one fujitsu laptop where the bios option to disable secure boot was disabled though. MS could still theoretically require secure boot to be forced in a future version of windows, but that might have anti-trust consequences. If they can somehow convince manufacturers to do it on their own, MS can say they’re not responsible.
Now that the major linux distros are booting under microsoft keys, more hardware could become secure boot restricted and those users wouldn’t necessarily realize that they can’t run other distros. Some might be ok with this status quo, but personally I’m very uncomfortable with the thought of microsoft acting as OS gatekeeper.
I’m annoyed by MS being in charge of the keys too. I like the idea, and it’s been long enough that there could be a better process.
Systems from vendors which support LVFS should get updates. I have two systems supported by LVFS, and the process is like any other update. I’ve already gotten a couple of Secure Boot database updates in the last year.
Probably. Those should be a package update since I think a shim is still in use.
I just wonder if this updated certificate will bring with it stricter controls as well. It’s not clear from the article if that is the case.
The cert database themselves, probably not. Other firmware updates, maybe?
“I wonder how many of my machines are going to get updates?” was my first thought too. I have a bunch of Haswell based systems, and I’m not sure they’re going to get a UEFI update.
Now that I think about it, the BSD installs have secure boot turned off anyway, and anything with a DKMS module has it turned off too. Hmm… Anyway…
Yeah, unless you boot windows, you likely won’t get the updates unless you update your BIOS manually. I do update the BIOS periodically though. For those running with secure boot disabled, that’s probably ok and I would not expect manufacturer to change their secure boot policy for existing hardware.
Or the system is supported by fwupd. 🙂
The Haswell stuff I’m going to have to update by hand. Luckily, the Dell systems are easy to update, but the one Supermicro system is annoying.
Assuming Dell releases an update. They’ve released some critical updates for these systems, but I’m not sure where they’re going to rate this.
Supermicro quit caring years ago, so I’m not expecting anything from them. >:(