On Mon, May 04, 2026 at 03:12:16PM -0700, Ted Mittelstaedt wrote: > > > >-----Original Message----- > >From: PLUG <[email protected]> On Behalf Of Loren M. Lang > >Sent: Monday, May 4, 2026 2:45 AM > >To: Portland Linux/Unix Group <[email protected]> > >Cc: [email protected]; [email protected]; 'Off-topic and > >potentially flammable discussion' <[email protected]> > >Subject: Re: [PLUG] [PLUG-ANNOUNCE] Speaker for May General Meeting? > > >Generally, the install doesn't add new root keys, although firmware/BIOS > >updates can update the keys in the UEFI firmware variables. These are > >generally signed by >the PK that the BIOS vendor embeds in the firmware to > >begin with. > > That is the part I missed. > > One of my machines at work is a Microsoft Surface Studio. MS distributes > BIOS updates directly for this via windows updates. I just went through > reinstalling windows on it (since it's CPU is a generation 6 core i7, thus > not "orficially supported for windows 11, you must reinstall every time they > release a new build) > > The Secure Boot key in the BIOS was NOT updated. ¯\_(ツ)_/¯
Interesting, I wasn't planning on including any commands for Windows users in the talk, but maybe I should drop a couple. A quick summary of the chain of trust: PK -> KEK -> db -> OS bootloader While prepping for this talk, I spent time experimenting with a Lenovo Thinkcenter M910x which came out in 2017 and is no longer supported now. Because it's a 6th Gen i7, it's too old for Windows 11 officially and is still running Windows 10, but all updates have been applied including all optional driver updates according to Windows Updates. I also ran the Lenovo tools and applied all BIOS updates available. After a few reboots and resetting Secure Boot back to Factory Defaults, it still only included the 2011 certificates in the Secure Boot databases PK, KEK, and db. I then tried one last experiment using some black magic. I forced the Secure Boot Updater task service to run on Windows 10 and found that even without a reboot, the db database had been updated and now included the "Windows UEFI CA 2023". This is the CA root used to sign all Windows bootloaders/kernels so this system can techically receive security updates for the Windows OS post-June, if any happen to come out. https://techcommunity.microsoft.com/blog/windows-itpro-blog/updating-microsoft-secure-boot-keys/4055324 However, it did not add the "Microsoft UEFI CA 2023" certificate which is used to sign `third-party' operating systems such as Linux or the "Microsoft Option ROM UEFI CA 2023" certificate which is used to sign Option ROMs that run during boot in hardware add-in cards. However, this only affects those cases where they were updates post-June. Technically, you should still be able to run OSes/ROMs last updated and signed prior to the end of June. As all of these certificates are signed by the Microsoft KEK, it should be possible to update them from Linux using the official signature blobs from Microsofts GitHub repo. As far as I can tell, as they came out in 2023 originally, they are all signed by the original "Microsoft Corporation KEK CA 2011" KEK certificate which is the authority for all updated to the db list of certificates. One other notible certificate that is missing from this list is the "Microsoft Corporation KEK 2K CA 2023" KEK certificate. This would need to be signed by a signature blob with the PK certificate which is vendor-specific. If Lenovo doesn't produce it, then there's no way to update it without temporarily disabling Secure Boot. However, it's only needed if there are newer updates needed for the db list and that won't be a concern for another 15 years. https://support.microsoft.com/en-us/topic/windows-secure-boot-certificate-expiration-and-ca-updates-7ff40d33-95dc-4c3c-8725-a9b95457578e > > I guess MS's policy is "if it's not gen 8 or better then FU even if we > manufactured it and you are running our crappy software on it" > > Sigh. > > Ted > > > -- Loren M. Lang [email protected] http://www.north-winds.org/ IRC: penguin359 Public Key: http://www.north-winds.org/lorenl_pubkey.asc Fingerprint: 7896 E099 9FC7 9F6C E0ED E103 222D F356 A57A 98FA
signature.asc
Description: PGP signature
