Actually its 4 certicates
Needs to be converted from DER to PEM
The following certificate must be included in db in order to allow the Windows
OS Loader to load:
Windows UEFI CA 2023 - windows uefi ca 2023.crt
SHA-1 cert hash:45A0FA32604773C82433C3B7D59E7466B3AC0C67.
SignatureOwner GUID:{77fa9abd-0359-4d32-bd60-28f4e78f784b}.
Microsoft will provide the certificate to partners and it can be added either
as anEFI_CERT_X509_GUIDor anEFI_CERT_RSA2048_GUIDtype signature.
The Windows UEFI CA 2023 can be downloaded from
here:https://go.microsoft.com/fwlink/?linkid=2239776.
Microsoft 3rd Party UEFI CAs and Microsoft Option ROM CA to allow UEFI
drivers and applications from 3rd parties to run on the PC
Microsoft UEFI CA 2023 - microsoft uefi ca 2023.crt
SHA-1 cert hash:B5EEB4A6706048073F0ED296E7F580A790B59EAA.
SignatureOwner GUID:{77fa9abd-0359-4d32-bd60-28f4e78f784b}.
Microsoft will provide the certificate to partners and it can be added either
as anEFI_CERT_X509_GUIDor anEFI_CERT_RSA2048_GUIDtype signature.
The Microsoft UEFI CA 2023 can be downloaded from
here:https://go.microsoft.com/fwlink/?linkid=2239872.
Microsoft Option ROM UEFI CA 2023 - microsoft option rom uefi ca 2023.crt
SHA-1 cert hash:3FB39E2B8BD183BF9E4594E72183CA60AFCD4277.
SignatureOwner GUID:{77fa9abd-0359-4d32-bd60-28f4e78f784b}.
Microsoft will provide the certificate to partners and it can be added either
as anEFI_CERT_X509_GUIDor anEFI_CERT_RSA2048_GUIDtype signature.
The Microsoft Option ROM UEFI CA 2023 can be downloaded from
here:https://go.microsoft.com/fwlink/?linkid=2284009.
Tego nie dodaje
The following Microsoft KEK certificate is required to enable revocation of bad
images by updating the dbx and potentially for updating db to prepare for newer
Windows signed images.
Microsoft Corporation KEK 2K CA 2023
SHA-1 cert hash:459AB6FB5E284D272D5E3E6ABC8ED663829D632B.
SignatureOwner GUID:{77fa9abd-0359-4d32-bd60-28f4e78f784b}.
Microsoft will provide the certificate to partners and it can be added either
as anEFI_CERT_X509_GUIDor anEFI_CERT_RSA2048_GUIDtype signature.
The Microsoft KEK certificate can be downloaded
from:https://go.microsoft.com/fwlink/?linkid=2239775.
Workaround for 1 vm
cd /home/admin/certy
for f in *.crt; do openssl x509 -inform DER -in "$f" -out "${f%.crt}.pem"
-outform PEM; done
ls -lah
total 32K
drwxr-x--- 2 root root 4.0K Jul 2 16:56 .
drwxr-x--- 6 admin admin 4.0K Jul 2 16:45 ..
-rw-r--r-- 1 root root 1.5K Jul 2 16:49 'microsoft option rom uefi ca
2023.crt'
-rw-r----- 1 root root 2.0K Jul 2 16:56 'microsoft option rom uefi ca
2023.pem'
-rw-r--r-- 1 root root 1.5K Jul 2 16:48 'microsoft uefi ca 2023.crt'
-rw-r----- 1 root root 2.0K Jul 2 16:56 'microsoft uefi ca 2023.pem'
-rw-r--r-- 1 root root 1.5K Jul 2 16:47 'windows uefi ca 2023.crt'
-rw-r----- 1 root root 2.0K Jul 2 16:56 'windows uefi ca 2023.pem'
cp
/var/lib/docker/volumes/libvirtd/_data/qemu/nvram/instance-00001ae5_VARS.fd
/var/lib/docker/volumes/libvirtd/_data/qemu/nvram/instance-00001ae5_VARS.fd_BACKUP
virt-fw-vars -i
/var/lib/docker/volumes/libvirtd/_data/qemu/nvram/instance-00001ae5_VARS.fd_BACKUP
\
--add-db 77fa9abd-0359-4d32-bd60-28f4e78f784b \
'windows uefi ca 2023.pem' \
-o /var/lib/docker/volumes/libvirtd/_data/qemu/nvram/instance-00001ae5_VARS.fd
NFO: var store range: 0x64 -> 0x40000
INFO: add db cert windows uefi ca 2023.pem
INFO: writing raw edk2 varstore to
/var/lib/docker/volumes/libvirtd/_data/qemu/nvram/instance-00001ae5_VARS.fd
cp
/var/lib/docker/volumes/libvirtd/_data/qemu/nvram/instance-00001ae5_VARS.fd
/var/lib/docker/volumes/libvirtd/_data/qemu/nvram/instance-00001ae5_VARS.fd_BACKUP
virt-fw-vars -i
/var/lib/docker/volumes/libvirtd/_data/qemu/nvram/instance-00001ae5_VARS.fd_BACKUP
\
--add-db 77fa9abd-0359-4d32-bd60-28f4e78f784b \
'microsoft uefi ca 2023.pem' \
-o /var/lib/docker/volumes/libvirtd/_data/qemu/nvram/instance-00001ae5_VARS.fd
INFO: reading raw edk2 varstore from
/var/lib/docker/volumes/libvirtd/_data/qemu/nvram/instance-00001ae5_VARS.fd_BACKUP
INFO: var store range: 0x64 -> 0x40000
INFO: add db cert microsoft uefi ca 2023.pem
INFO: writing raw edk2 varstore to
/var/lib/docker/volumes/libvirtd/_data/qemu/nvram/instance-00001ae5_VARS.fd
cp
/var/lib/docker/volumes/libvirtd/_data/qemu/nvram/instance-00001ae5_VARS.fd
/var/lib/docker/volumes/libvirtd/_data/qemu/nvram/instance-00001ae5_VARS.fd_BACKUP
virt-fw-vars -i
/var/lib/docker/volumes/libvirtd/_data/qemu/nvram/instance-00001ae5_VARS.fd_BACKUP
\
--add-db 77fa9abd-0359-4d32-bd60-28f4e78f784b \
'microsoft option rom uefi ca 2023.pem' \
-o /var/lib/docker/volumes/libvirtd/_data/qemu/nvram/instance-00001ae5_VARS.fd
INFO: reading raw edk2 varstore from
/var/lib/docker/volumes/libvirtd/_data/qemu/nvram/instance-00001ae5_VARS.fd_BACKUP
INFO: var store range: 0x64 -> 0x40000
INFO: add db cert microsoft option rom uefi ca 2023.pem
INFO: writing raw edk2 varstore to
/var/lib/docker/volumes/libvirtd/_data/qemu/nvram/instance-00001ae5_VARS.fd
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2151826
Title:
OVMF certificates and keys not fully updated by latest patches
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2151826/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs