** Description changed: [ Impact ] * Every OVMF/AAVMF virtual machine with Secure Boot enabled is impacted. * VM variable stores are snapshotted at creation time. Existing VMs only have Microsoft's 2011 Secure Boot CAs in their KEK and db. These CAs expire in 2026 and Microsoft is transitioning to signing exclusively with 2023 replacements. Without the 2023 CAs, existing VMs will be unable to verify future shim, GRUB, and kernel updates. * On physical hardware, db and KEK updates are deployed via fwupd using authenticated variable writes signed by the appropriate keys. This is not possible for OVMF/AAVMF because the PK private key was intentionally destroyed at variable template generation time. * A DXE driver (FirmwareSecvarUpdater) is added to the firmware CODE volume. It runs at boot, checks for 2011 CAs without their 2023 replacements, and appends the missing certificates using EDK2's Custom Mode mechanism. A version variable prevents re-running on subsequent boots and allows users to remove the added certificates if desired. [ Test Plan ] * Build-time and autopkgtest integration tests are included: 1. Boot a VM with only 2011 CAs enrolled, verify all 2023 CAs are appended to KEK and db. 2. After the driver has run, strip the 2023 CAs and reboot. Verify the version guard prevents re-adding them. 3. Same as (1) for AAVMF (aarch64). [ Where problems could occur ] * If the driver encounters an error (e.g. variable store full), it fails gracefully without preventing boot and retries on the next boot. * The driver only acts on variable stores containing the expected 2011 CAs. * If a user removes the 2023 CAs after the driver has run, the version guard ensures they are not re-added. [ Other Info ] * Certificate mappings: - KEK: MS KEK CA 2011 -> MS KEK 2K CA 2023 - db: Windows Production PCA 2011 -> Windows UEFI CA 2023 - db: MS UEFI CA 2011 -> MS UEFI CA 2023 + MS Option ROM CA 2023 * The driver is added to all virtual platform builds with Secure Boot support. Future certificate rotations require only adding rows to the update rules table and bumping the version constant. + + * "Reset Secure Boot Keys" works exactly the same as it did before this change, + it clears all Secure Boot keys and brings the system to Setup Mode.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2146560 Title: [FFe + SRU] edk2: Introduce FirmwareSecvarUpdater for MS 2023 CA rollout To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2146560/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
