foresight / warning: Microsoft certificates from 2011 will probably be replaced by certs from 2023. about sbctl HOT 9 OPEN

@conrad-heimbold Hey! We saw your issue and we updated the certificates to DER format (just with a .crt extension)! As of right now the only thing the 2023 Windows production CA has signed is a UEFI Testing Application. We're working with our partners to make sure db append actually appends.

from sbctl.

@Flickdm Microsoft Corporation KEK 2K CA 2023 is still base64.

from sbctl.

@Flickdm Thanks for fixing this :)

from sbctl.

https://techcommunity.microsoft.com/t5/windows-it-pro-blog/updating-microsoft-secure-boot-keys/ba-p/4055324

Should implement this soon :)

from sbctl.

It's a bit more complicated.

There are also going to be several new certs so you can use different certs for OpROM and Linux distros and so on. This will be implemented when it becomes relevant.

from sbctl.

There are also going to be several new certs so you can use different certs for OpROM and Linux distros and so on. This will be implemented when it becomes relevant.

I think it's best to get these into sbctl now, rather then later. Or someone is gonna enroll keys with --microsoft on some new device with drivers that are signed only with the new certificates and find themselves with an expensive paperweight.

According to systemd/systemd#29104 (review), you're supposed to have old and new key installed both now.

from sbctl.

According to systemd/systemd#29104 (review), you're supposed to have old and new key installed both now.

I missed that memo, can probably take a look at it soon'ish.

from sbctl.

Thanks for letting me know! I'm bringing it up internally!

from sbctl.

Just checked, the linked KEK is now der encoded as well!

from sbctl.