Re: [edk2-devel] ArmPlatformPkg: does SecureBootDefaultKeys.fdf.inc need updated to add more DB files?

public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed

From: "Doug Flick via groups.io" <dougflick=microsoft.com@groups.io>
To: "Rebecca Cran" <rebecca@bsdio.com>, devel@edk2.groups.io
Subject: Re: [edk2-devel] ArmPlatformPkg: does SecureBootDefaultKeys.fdf.inc need updated to add more DB files?
Date: Tue, 05 Nov 2024 08:46:25 -0800	[thread overview]
Message-ID: <25796.1730825185023888175@groups.io> (raw)
In-Reply-To: <d55686e3-cb32-4113-8521-99ea4800c839@bsdio.com>

[-- Attachment #1: Type: text/plain, Size: 1413 bytes --]

Hey Rebecca!

We actually have the following repo on [github/secureboot_objects](https://github.com/microsoft/secureboot_objects) where you can get Secure Boot default releases and ask questions directly to the team that manages secure boot at Microsoft.

To answer your question,

The 2011 certificates are expiring in 2026 so we're beginning a transition away from them.

The expiring certificates are:

```
DB: Microsoft Windows Production PCA 2011
DB: Microsoft Corporation UEFI CA 2011 (Third Party)
KEK: Microsoft Corporation KEK CA 2011 
```
The new certificates are:

```
DB: Windows UEFI CA 2023
DB: Microsoft UEFI CA 2023 (Third Party)
DB: Microsoft Option ROM UEFI CA 2023 (Only Option Roms (New behavior meant to improve configurability))
KEK: Microsoft Corporation KEK 2K CA 2023
```

Right now the guidance is to include both sets of certificates to provide the most compatibility during the transition and then at a point further in the future we'll begin remove the 2011 certificates from the default.

-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#120736): https://edk2.groups.io/g/devel/message/120736
Mute This Topic: https://groups.io/mt/109402104/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

[-- Attachment #2: Type: text/html, Size: 2013 bytes --]

     prev parent reply	other threads:[~2024-11-05 16:46 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-11-05  7:26 [edk2-devel] ArmPlatformPkg: does SecureBootDefaultKeys.fdf.inc need updated to add more DB files? Rebecca Cran
2024-11-05 16:46 ` Doug Flick via groups.io [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=25796.1730825185023888175@groups.io \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox