Hello all, First of all, Happy New Year. Second of all, let's talk Secure Boot in 2026.
So as you might remember from a previous thread [1], Microsoft's Secure Boot certificates are expiring in 2026 (around June) and thanks to LVFS and fwupd most Linux users on UEFI systems should have already got compatible updates with their devices. However I was looking at more specifically the Microsoft Windows Production PCA 2011 certificate (which signs the Windows bootloader) and, since it seems it can't be updateable under Linux, I looked into how to update it via Windows ToGo and I hit a very interesting page on Microsoft handling of CVE-2023-24932 (BlackLotus) [2]. The page provides mitigations which include: 1) The install of the new 2023 certificate on the device 2) Replacing the bootloader with one signed with the new certificate 3) Revoking the old certificate via the dbx 4) Applying SVN (Secure Version Number) Some of the rationale Microsoft has on their handling: > NOTE: Instead of trying to exhaustively list and untrust vulnerable boot > managers as we did in the previous deployment phases, we are adding the > “Windows Production PCA 2011” signing certificate to the Secure Boot Disallow > List (DBX) to untrust all boot managers signed by this certificate. This is a > more reliable method for ensuring that all previous boot managers are > untrusted. It seems the set of all this changes will enter into effect in January 2026 or later for Windows users, and by then it won't be reversible: > The Enforcement Phase will not begin before January 2026, and we will give at > least six months of advance warning in this article before this phase begins. So, a few questions: 1) Even though most of us probably won't run Windows, should we as Linux users worry if the Windows bootloader signing certificate hasn't been upgraded from the 2011 version to 2023 version? 2) What will happen to the revocation of the 2011 certificate on Linux? Will it follow the same schedule as Microsoft's in the form of a new dbx at around the same time? Or will we just wait for it to expire by time? [1] https://lists.fedoraproject.org/archives/list/[email protected]/thread/PVHIMLYYFZZ6UVGKF5D6F6GAYPYEL27A/ [2] https://support.microsoft.com/en-us/topic/how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d Thanks for your time, Mateus Rodrigues Costa -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
