From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail05.groups.io (mail05.groups.io [45.79.224.7]) by spool.mail.gandi.net (Postfix) with ESMTPS id 302A1AC1687 for ; Tue, 5 Nov 2024 16:46:26 +0000 (UTC) DKIM-Signature: a=rsa-sha256; bh=m1FgSu+/aONN92SUPBasLOGEYhNGAW/D1C3Le9HDt/U=; c=relaxed/simple; d=groups.io; h=Subject:To:From:User-Agent:MIME-Version:Date:References:In-Reply-To:Message-ID:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Type; s=20240830; t=1730825186; v=1; x=1731084385; b=QA/65nZTa4ij95QvnWkHMsRWKgKISTyIcmlW1g3iBB8DaBV4Qw9b61/KKEbO0LXA/hodY7VV FSUAXSm2K7286xSjmIj22LFZl6nE2FOYHqQOQHjMFYEOsgKTjOnTA+ZoPzeczrPaROligmPWPsm nJtzGjnY9wpMjTAktFe1L1NfeuBY47xV+UAd6fJmGgoQDDvHRrcnavab+uEwAfvPXkf8BquKot2 W5zyC1cIXsqSvJpxuTJE1KFpLm4mVFEQaAA740g00dQhBef0UO87eLPsEUwjSPIxx0/ylVmFW7y j04pBZJhoC/xsHrxHEVvOIpXgBbmGEy2qkScFgLEvi6lw== X-Received: by 127.0.0.2 with SMTP id 6RLyYY7687511xEy3Xsddnuw; Tue, 05 Nov 2024 08:46:25 -0800 Subject: Re: [edk2-devel] ArmPlatformPkg: does SecureBootDefaultKeys.fdf.inc need updated to add more DB files? To: "Rebecca Cran" , devel@edk2.groups.io From: "Doug Flick via groups.io" X-Originating-Location: Tacoma, Washington, US (67.160.15.86) X-Originating-Platform: Windows Chrome 130 User-Agent: GROUPS.IO Web Poster MIME-Version: 1.0 Date: Tue, 05 Nov 2024 08:46:25 -0800 References: In-Reply-To: Message-ID: <25796.1730825185023888175@groups.io> Precedence: Bulk List-Subscribe: List-Help: Sender: devel@edk2.groups.io List-Id: Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io Reply-To: devel@edk2.groups.io,dougflick@microsoft.com List-Unsubscribe-Post: List-Unsubscribe=One-Click List-Unsubscribe: X-Gm-Message-State: HacIR2BpOXUcTf4XFzmSQrElx7686176AA= Content-Type: multipart/alternative; boundary="b1L7hXVWP6XlsW8r5p7f" X-GND-Status: LEGIT Authentication-Results: spool.mail.gandi.net; dkim=pass header.d=groups.io header.s=20240830 header.b="QA/65nZT"; dmarc=pass (policy=none) header.from=groups.io; spf=pass (spool.mail.gandi.net: domain of bounce@groups.io designates 45.79.224.7 as permitted sender) smtp.mailfrom=bounce@groups.io --b1L7hXVWP6XlsW8r5p7f Content-Type: text/plain; charset="utf-8"; markup=markdown Content-Transfer-Encoding: quoted-printable Hey Rebecca! We actually have the following repo on [github/secureboot_objects](https://= github.com/microsoft/secureboot_objects) where you can get Secure Boot defa= ult releases and ask questions directly to the team that manages secure boo= t at Microsoft. To answer your question, The 2011 certificates are expiring in 2026 so we're beginning a transition = away from them. The expiring certificates are: ``` DB: Microsoft Windows Production PCA 2011 DB: Microsoft Corporation UEFI CA 2011 (Third Party) KEK: Microsoft Corporation KEK CA 2011=20 ``` The new certificates are: ``` DB: Windows UEFI CA 2023 DB: Microsoft UEFI CA 2023 (Third Party) DB: Microsoft Option ROM UEFI CA 2023 (Only Option Roms (New behavior meant= to improve configurability)) KEK: Microsoft Corporation KEK 2K CA 2023 ``` Right now the guidance is to include both sets of certificates to provide t= he most compatibility during the transition and then at a point further in = the future we'll begin remove the 2011 certificates from the default. -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#120736): https://edk2.groups.io/g/devel/message/120736 Mute This Topic: https://groups.io/mt/109402104/7686176 Group Owner: devel+owner@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io] -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- --b1L7hXVWP6XlsW8r5p7f Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable

Hey Rebecca!

We actually have the following repo on github/secureboot_objects = where you can get Secure Boot default releases and ask questions directly t= o the team that manages secure boot at Microsoft.

To answer your question,

The 2011 certificates are expiring in 2026 so we're beginning a transiti= on away from them.

The expiring certificates are:

DB: Microsoft W=
indows Production PCA 2011
DB: Microsoft Corporation UEFI CA 2011 (Third Party)
KEK: Microsoft Corporation KEK CA 2011=20

The new certificates are:

DB: Windows UEF=
I CA 2023
DB: Microsoft UEFI CA 2023 (Third Party)
DB: Microsoft Option ROM UEFI CA 2023 (Only Option Roms (New behavior meant=
 to improve configurability))
KEK: Microsoft Corporation KEK 2K CA 2023

Right now the guidance is to include both sets of certificates to provid= e the most compatibility during the transition and then at a point further = in the future we'll begin remove the 2011 certificates from the default.

_._,_._,_
Groups.io Links:

=20 You receive all messages sent to this group. =20 =20

View/Reply Online (#120736) | =20 | Mute= This Topic | New Topic
Your Subscriptio= n | Contact Group Owner | Unsubscribe [rebecca@openfw.io]

_._,_._,_
--b1L7hXVWP6XlsW8r5p7f--