[edk2-devel] ArmPlatformPkg: does SecureBootDefaultKeys.fdf.inc need updated to add more DB files?

[edk2-devel] ArmPlatformPkg: does SecureBootDefaultKeys.fdf.inc need updated to add more DB files?

[Rebecca Cran]

I've been following 
https://github.com/edk2-porting/edk2-rk3588/issues/69 to add Secure Boot 
support, and found this page that has guidance from Microsoft: 
https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance?view=windows-11 
.


Currently ArmPlatformPkg/SecureBootDefaultKeys.fdf.inc supports 3 DB 
files, but the Microsoft page appears to have 5 available for download?


Microsoft Windows Production PCA 2011

https://go.microsoft.com/fwlink/p/?linkid=321192

Windows UEFI CA 2023

https://go.microsoft.com/fwlink/?linkid=2239776

Microsoft Corporation UEFI CA 2011

https://go.microsoft.com/fwlink/p/?linkid=321194

Microsoft UEFI CA 2023

https://go.microsoft.com/fwlink/?linkid=2239872

Microsoft Option ROM UEFI CA 2023

https://go.microsoft.com/fwlink/?linkid=2284009


The RPi4 CI script 
(https://github.com/pftf/RPi4/blob/master/.github/workflows/linux_edk2.yml#L50-L58) 
downloads these 4:

curl -L https://go.microsoft.com/fwlink/?linkid=321192 -o keys/ms_db1.cer
curl -L https://go.microsoft.com/fwlink/?linkid=321194 -o keys/ms_db2.cer
curl -L https://go.microsoft.com/fwlink/?linkid=2239776 -o keys/ms_db3.cer
curl -L https://go.microsoft.com/fwlink/?linkid=2239872 -o keys/ms_db4.cer


Do we only want 3 of the available files, or are all of them relevant?


-- 
Rebecca Cran



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#120715): https://edk2.groups.io/g/devel/message/120715
Mute This Topic: https://groups.io/mt/109402104/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] ArmPlatformPkg: does SecureBootDefaultKeys.fdf.inc need updated to add more DB files?

[Doug Flick via groups.io]

[-- Attachment #1: Type: text/plain, Size: 1413 bytes --]

Hey Rebecca!

We actually have the following repo on [github/secureboot_objects](https://github.com/microsoft/secureboot_objects) where you can get Secure Boot default releases and ask questions directly to the team that manages secure boot at Microsoft.

To answer your question,

The 2011 certificates are expiring in 2026 so we're beginning a transition away from them.

The expiring certificates are:

```
DB: Microsoft Windows Production PCA 2011
DB: Microsoft Corporation UEFI CA 2011 (Third Party)
KEK: Microsoft Corporation KEK CA 2011 
```
The new certificates are:

```
DB: Windows UEFI CA 2023
DB: Microsoft UEFI CA 2023 (Third Party)
DB: Microsoft Option ROM UEFI CA 2023 (Only Option Roms (New behavior meant to improve configurability))
KEK: Microsoft Corporation KEK 2K CA 2023
```

Right now the guidance is to include both sets of certificates to provide the most compatibility during the transition and then at a point further in the future we'll begin remove the 2011 certificates from the default.




-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#120736): https://edk2.groups.io/g/devel/message/120736
Mute This Topic: https://groups.io/mt/109402104/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



[-- Attachment #2: Type: text/html, Size: 2013 bytes --]

Re: [edk2-devel] ArmPlatformPkg: does SecureBootDefaultKeys.fdf.inc need updated to add more DB files?

[Rebecca Cran]

On 11/5/24 9:46 AM, Doug Flick via groups.io wrote:
>
> Hey Rebecca!
>
> We actually have the following repo on github/secureboot_objects 
> <https://github.com/microsoft/secureboot_objects> where you can get 
> Secure Boot default releases and ask questions directly to the team 
> that manages secure boot at Microsoft.
>
> To answer your question,
>
> The 2011 certificates are expiring in 2026 so we're beginning a 
> transition away from them.
>
> The expiring certificates are:
>
> |DB: Microsoft Windows Production PCA 2011 DB: Microsoft Corporation 
> UEFI CA 2011 (Third Party) KEK: Microsoft Corporation KEK CA 2011 |
>
> The new certificates are:
>
> |DB: Windows UEFI CA 2023 DB: Microsoft UEFI CA 2023 (Third Party) DB: 
> Microsoft Option ROM UEFI CA 2023 (Only Option Roms (New behavior 
> meant to improve configurability)) KEK: Microsoft Corporation KEK 2K 
> CA 2023 |
>
> Right now the guidance is to include both sets of certificates to 
> provide the most compatibility during the transition and then at a 
> point further in the future we'll begin remove the 2011 certificates 
> from the default.
>
Thanks! I was wondering if you know whether anyone's considered adding 
the repo as a submodule of edk2, probably somewhere under CryptoPkg?


-- 
Rebecca



-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#120759): https://edk2.groups.io/g/devel/message/120759
Mute This Topic: https://groups.io/mt/109402104/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] ArmPlatformPkg: does SecureBootDefaultKeys.fdf.inc need updated to add more DB files?

[Doug Flick via groups.io]

[-- Attachment #1: Type: text/plain, Size: 485 bytes --]

I don't think there's any immediate consideration, but I'm certainly not opposed to it if the community is up for it.


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#120785): https://edk2.groups.io/g/devel/message/120785
Mute This Topic: https://groups.io/mt/109402104/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



[-- Attachment #2: Type: text/html, Size: 904 bytes --]

Re: [edk2-devel] ArmPlatformPkg: does SecureBootDefaultKeys.fdf.inc need updated to add more DB files?

[Sean via groups.io]

[-- Attachment #1: Type: text/plain, Size: 1036 bytes --]

I doing think it makes sense in edk2. That is a platform responsibility and in general edk2 should not represent the platform.

Thanks
Sean
________________________________
From: devel@edk2.groups.io <devel@edk2.groups.io> on behalf of Doug Flick via groups.io <dougflick=microsoft.com@groups.io>
Sent: Monday, November 18, 2024 9:58:43 AM
To: Rebecca Cran <rebecca@bsdio.com>; devel@edk2.groups.io <devel@edk2.groups.io>
Subject: Re: [edk2-devel] ArmPlatformPkg: does SecureBootDefaultKeys.fdf.inc need updated to add more DB files?


I don't think there's any immediate consideration, but I'm certainly not opposed to it if the community is up for it.




-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#120824): https://edk2.groups.io/g/devel/message/120824
Mute This Topic: https://groups.io/mt/109402104/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-



[-- Attachment #2: Type: text/html, Size: 2026 bytes --]