Actually its 4 certicates

Needs to be converted from DER to PEM
The following certificate must be included in db in order to allow the Windows 
OS Loader to load:

Windows UEFI CA 2023 - windows uefi ca 2023.crt
SHA-1 cert hash:45A0FA32604773C82433C3B7D59E7466B3AC0C67.
SignatureOwner GUID:{77fa9abd-0359-4d32-bd60-28f4e78f784b}.
Microsoft will provide the certificate to partners and it can be added either 
as anEFI_CERT_X509_GUIDor anEFI_CERT_RSA2048_GUIDtype signature.
The Windows UEFI CA 2023 can be downloaded from 
here:https://go.microsoft.com/fwlink/?linkid=2239776.

Microsoft 3rd Party UEFI CAs and Microsoft Option ROM CA to allow UEFI
drivers and applications from 3rd parties to run on the PC

Microsoft UEFI CA 2023 -  microsoft uefi ca 2023.crt
SHA-1 cert hash:B5EEB4A6706048073F0ED296E7F580A790B59EAA.
SignatureOwner GUID:{77fa9abd-0359-4d32-bd60-28f4e78f784b}.
Microsoft will provide the certificate to partners and it can be added either 
as anEFI_CERT_X509_GUIDor anEFI_CERT_RSA2048_GUIDtype signature.
The Microsoft UEFI CA 2023 can be downloaded from 
here:https://go.microsoft.com/fwlink/?linkid=2239872.

Microsoft Option ROM UEFI CA 2023 - microsoft option rom uefi ca 2023.crt
SHA-1 cert hash:3FB39E2B8BD183BF9E4594E72183CA60AFCD4277.
SignatureOwner GUID:{77fa9abd-0359-4d32-bd60-28f4e78f784b}.
Microsoft will provide the certificate to partners and it can be added either 
as anEFI_CERT_X509_GUIDor anEFI_CERT_RSA2048_GUIDtype signature.
The Microsoft Option ROM UEFI CA 2023 can be downloaded from 
here:https://go.microsoft.com/fwlink/?linkid=2284009.


Tego nie dodaje
The following Microsoft KEK certificate is required to enable revocation of bad 
images by updating the dbx and potentially for updating db to prepare for newer 
Windows signed images.

Microsoft Corporation KEK 2K CA 2023
SHA-1 cert hash:459AB6FB5E284D272D5E3E6ABC8ED663829D632B.
SignatureOwner GUID:{77fa9abd-0359-4d32-bd60-28f4e78f784b}.
Microsoft will provide the certificate to partners and it can be added either 
as anEFI_CERT_X509_GUIDor anEFI_CERT_RSA2048_GUIDtype signature.
The Microsoft KEK certificate can be downloaded 
from:https://go.microsoft.com/fwlink/?linkid=2239775.

Workaround for 1 vm

cd /home/admin/certy
for f in *.crt; do   openssl x509 -inform DER -in "$f" -out "${f%.crt}.pem" 
-outform PEM; done
ls -lah
total 32K
drwxr-x--- 2 root  root  4.0K Jul  2 16:56  .
drwxr-x--- 6 admin admin 4.0K Jul  2 16:45  ..
-rw-r--r-- 1 root  root  1.5K Jul  2 16:49 'microsoft option rom uefi ca 
2023.crt'
-rw-r----- 1 root  root  2.0K Jul  2 16:56 'microsoft option rom uefi ca 
2023.pem'
-rw-r--r-- 1 root  root  1.5K Jul  2 16:48 'microsoft uefi ca 2023.crt'
-rw-r----- 1 root  root  2.0K Jul  2 16:56 'microsoft uefi ca 2023.pem'
-rw-r--r-- 1 root  root  1.5K Jul  2 16:47 'windows uefi ca 2023.crt'
-rw-r----- 1 root  root  2.0K Jul  2 16:56 'windows uefi ca 2023.pem'

cp
/var/lib/docker/volumes/libvirtd/_data/qemu/nvram/instance-00001ae5_VARS.fd
/var/lib/docker/volumes/libvirtd/_data/qemu/nvram/instance-00001ae5_VARS.fd_BACKUP

virt-fw-vars -i 
/var/lib/docker/volumes/libvirtd/_data/qemu/nvram/instance-00001ae5_VARS.fd_BACKUP
 \
--add-db 77fa9abd-0359-4d32-bd60-28f4e78f784b \
'windows uefi ca 2023.pem' \
-o /var/lib/docker/volumes/libvirtd/_data/qemu/nvram/instance-00001ae5_VARS.fd

NFO: var store range: 0x64 -> 0x40000
INFO: add db cert windows uefi ca 2023.pem
INFO: writing raw edk2 varstore to 
/var/lib/docker/volumes/libvirtd/_data/qemu/nvram/instance-00001ae5_VARS.fd

cp
/var/lib/docker/volumes/libvirtd/_data/qemu/nvram/instance-00001ae5_VARS.fd
/var/lib/docker/volumes/libvirtd/_data/qemu/nvram/instance-00001ae5_VARS.fd_BACKUP

virt-fw-vars -i 
/var/lib/docker/volumes/libvirtd/_data/qemu/nvram/instance-00001ae5_VARS.fd_BACKUP
 \
--add-db 77fa9abd-0359-4d32-bd60-28f4e78f784b \
'microsoft uefi ca 2023.pem' \
-o /var/lib/docker/volumes/libvirtd/_data/qemu/nvram/instance-00001ae5_VARS.fd

INFO: reading raw edk2 varstore from 
/var/lib/docker/volumes/libvirtd/_data/qemu/nvram/instance-00001ae5_VARS.fd_BACKUP
INFO: var store range: 0x64 -> 0x40000
INFO: add db cert microsoft uefi ca 2023.pem
INFO: writing raw edk2 varstore to 
/var/lib/docker/volumes/libvirtd/_data/qemu/nvram/instance-00001ae5_VARS.fd

cp
/var/lib/docker/volumes/libvirtd/_data/qemu/nvram/instance-00001ae5_VARS.fd
/var/lib/docker/volumes/libvirtd/_data/qemu/nvram/instance-00001ae5_VARS.fd_BACKUP

virt-fw-vars -i 
/var/lib/docker/volumes/libvirtd/_data/qemu/nvram/instance-00001ae5_VARS.fd_BACKUP
 \
--add-db 77fa9abd-0359-4d32-bd60-28f4e78f784b \
'microsoft option rom uefi ca 2023.pem' \
-o /var/lib/docker/volumes/libvirtd/_data/qemu/nvram/instance-00001ae5_VARS.fd

INFO: reading raw edk2 varstore from 
/var/lib/docker/volumes/libvirtd/_data/qemu/nvram/instance-00001ae5_VARS.fd_BACKUP
INFO: var store range: 0x64 -> 0x40000
INFO: add db cert microsoft option rom uefi ca 2023.pem
INFO: writing raw edk2 varstore to 
/var/lib/docker/volumes/libvirtd/_data/qemu/nvram/instance-00001ae5_VARS.fd

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2151826

Title:
  OVMF certificates and keys not fully updated by latest patches

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2151826/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to