InFeeo
Language

It's dead, Jim – the old Microsoft UEFI CA from 2011 expired yesterday(einval.com)

×
Link preview Steve's Page About Steve's blog, The Words of the Sledge steve@einval.com I previously wrote about the upcoming UEFI CA rollover. Well, it's happened now - the old Microsoft UEFI CA from 2011 expired yesterday: Third Party Marketplace Root (used for signing option ROMs and other software) Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011 Validity Not Before: Jun 27 21:22:45 2011 GMT Not After : Jun 27 21:32:45 2026 GMT The world doesn't seem to have ended yesterday, so I guess we did ok? :-) After a lot of prodding behind the scenes, Debian and many other distributions managed to get new shim binaries dual-signed with both the old and new CAs. The members of the shim-review team did a sterling job with reviews in the last few weeks. Since I started pushing people in May, we've had 21 reviews accepted successfully - see here for the list. Great stuff! Microsoft have also been working quickly - many of those shim submissions were accepted and signed by Microsoft very quickly too, with a turnaround time of less than 1 day in some cases. Not all of those signed shims have been published and used by the distros involved yet, but expect to see them in the wild in the coming weeks and months. These binaries should be good for people to use for the foreseeable future, until either we need to do another CA rollover or (sadly, more likely) we find an issue in shim that necessitates a new release. We already have one of our new dual-signed shim binaries in place in Debian, in unstable and testing (Forky) right now. In a couple of weeks from now, we'll be rolling out very similar new dual-signed shim binaries in the next point releases for Debian 12 (bookworm) and Debian 13 (trixie). We'll also be upgrading fwupd in both those point releases, to make DB and KEK updates work better. For more information about these updates, see https://wiki.debian.org/SecureBoot/CAChanges. For your own safety, validate that your systems are updated when possible. If you don't, they may fail to boot in future. Source: https://www.einval.com/~steve/ blog.einval.com · einval.com
About
Steve's blog, The Words of the Sledge
steve@einval.com

I previously wrote about the
upcoming UEFI
CA rollover. Well, it's happened now - the old Microsoft UEFI
CA from 2011 expired yesterday:

Third Party Marketplace Root (used for signing option ROMs and other software)

Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
Validity
Not Before: Jun 27 21:22:45 2011 GMT
Not After : Jun 27 21:32:45 2026 GMT

The world doesn't seem to have ended yesterday, so I guess we did
ok? :-)

After a lot of prodding behind the scenes, Debian and many other
distributions managed to get new shim binaries dual-signed with both
the old and new CAs. The members of the shim-review team did a
sterling job with reviews in the last few weeks. Since I started
pushing people in May, we've had 21 reviews accepted successfully -
see here
for the list. Great stuff! Microsoft have also been working quickly -
many of those shim submissions were accepted and signed by Microsoft
very quickly too, with a turnaround time of less than 1 day in some
cases.

Not all of those signed shims have been published and used by the
distros involved yet, but expect to see them in the wild in the coming
weeks and months.

These binaries should be good for people to use for the foreseeable
future, until either we need to do another CA rollover or (sadly, more
likely) we find an issue in shim that necessitates a new release.

We already have one of our new dual-signed shim
binaries in place in Debian, in unstable and testing (Forky) right
now. In a couple of weeks from now, we'll be rolling out very similar
new dual-signed shim binaries in the next point releases for Debian 12
(bookworm) and Debian 13 (trixie). We'll also be
upgrading fwupd in both those point releases, to make DB
and KEK updates work better.

For more information about these updates,
see https://wiki.debian.org/SecureBoot/CAChanges. For
your own safety, validate that your systems are updated when
possible. If you don't, they may fail to boot in future.

Log in Log in to comment.

No comments yet.