Em ter., 8 de jul. de 2025 às 21:44, Mateus Rodrigues Costa <[email protected]> escreveu: > > Hello all, > > As you guys know Secure Boot is supported by Fedora Linux and it > relies on the Microsoft signing keys. > Well, recently I was looking at this month's Windows 11 cumulative > update and noticed this warning: > > Important: Secure Boot certificates used by most Windows devices are > set to expire starting in June 2026. This might affect the ability of > certain personal and business devices to boot securely if not updated > in time. To avoid disruption, we recommend reviewing the guidance and > taking action to update certificates in advance. For details and > preparation steps, see Windows Secure Boot certificate expiration and > CA updates. > > Which links to > https://support.microsoft.com/en-us/topic/windows-secure-boot-certificate-expiration-and-ca-updates-7ff40d33-95dc-4c3c-8725-a9b95457578e > > My question is if we as Fedora users should worry.... > > I guess that users with devices that actively receive BIOS updates > should receive a update with the new certificates included, but it's > unknown what will happen for devices that are basically out of > support. > > I believe that fwupd should be able to update that certificate, but at > least on my system the Microsoft certificate isn't shown on it (I > believe on a UEFI Secure Boot VM it's shown) > > Should we worry about this? > > For instance, my device, a Dell laptop, for which fwupd recognizes: > the firmware (which I update via a built in Bios flash utility), the > dbx (updated via fwupd) and a mysterious "Dell Platform Key", which > might be Microsoft's certificate along with some other Dell stuff. > > Is Linux ready for the Microsoft certificate expiring next year? > > Thanks for your time, > Mateus Rodrigues Costa
Hello all again, We're nearly at the end of 2025, so I believe it makes sense to revive this thread. Well, as we have seen, thanks to LVFS and fwupd, pretty much everyone that has a UEFI system with Secure Boot had available updates. I have very specifically seen people on Reddit complaining about "why do I have a Microsoft update on the Firmware section of the system updater?" sort of messages, as an example. So, yeah, pretty much anyone who uses Secure Boot and cares about it keeping working should be good to go. Well, by why revive the thread? As you might remember the 3 updates we had under Linux (moving from the 2011 version to 2023) were: - Microsoft Corporation KEK CA 2011 -> Microsoft Corporation KEK 2K CA 2023 - Microsoft UEFI CA 2011 -> Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023 However there's one that isn't possible to upgrade from Linux (although I might agree not everyone wants this one): - Microsoft Windows Production PCA 2011 -> Windows UEFI CA 2023 I did go through the process mentioned at https://support.microsoft.com/en-us/topic/how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d with a Windows 10 ToGo media. And there's a lot of cool info there about Microsoft's "vision" for this migration. So I tried some of the mitigations. I applied the step 1 which adds the new certificate, there's step 2 - which I have not applied yet - which allows to optionally use a bootloader signed with the new 2023 certificates, a third step about putting the 2011 Windows certs into the dbx, and a 4th step about the SVN (seems to be similar to the SBAT) There are also instructions on how to update a Windows media for the new certs (which I guess should be similar to copying a compatible shim file to the old media). And finally the last piece of data relevant from that article, the implementation steps. This is the rationale for what Microsoft wants to do: > NOTE: Instead of trying to exhaustively list and untrust vulnerable boot > managers as we did in the previous deployment phases, we are adding the > “Windows Production PCA 2011” signing certificate to the Secure Boot Disallow > List (DBX) to untrust all boot managers signed by this certificate. This is a > more reliable method for ensuring that all previous boot managers are > untrusted. And this is when it will hit everyone: > The Enforcement Phase will not begin before January 2026, and we will give at > least six months of advance warning in this article before this phase begins. > When updates are released for the Enforcement Phase, they will include the > following: > The “Windows Production PCA 2011” certificate will automatically be revoked > by being added to the Secure Boot UEFI Forbidden List (DBX) on capable > devices. These updates will be programmatically enforced after installing > updates for Windows to all affected systems with no option to be disabled. It seems that even though the official certificates are officially expiring in June 2026, Microsoft already has a plan to at very least blacklisting their own old Windows certificate as early as possible next year. They not only offer offer the several step for IT for the migration, but also steps on fixing and running old Windows media if needed. Even then we on Fedora still seem to only have shims with the old certificate: $ sbverify shim.efi --list warning: data remaining[823272 vs 949424]: gaps between PE/COFF sections? signature 1 image signature issuers: - /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011 image signature certificates: - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows UEFI Driver Publisher issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011 - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011 issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation Third Party Marketplace Root After this context, I have two questions in how it concerns Fedora: 1) From my understanding of the mentioned Microsoft article, Microsoft decided to blacklist their whole 2011 Windows certificate and rely only on the new 2023 one instead of handling all blacklisted binaries on the dbx. Will the Linux world follow something similar? If Microsoft decided to do it earlier at January instead of just waiting due to CVE-2023-24932, it might be important, correct? 2) We are close to January, what's keeping us from receiving shims signed with the new 2023 certs? It seems Neal said that Microsoft would start signing with the new certs in October of last year. Am I missing something? Thanks for your time, Mateus Rodrigues Costa -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
