Public bug reported: Hello.
During the Resolute cycle, a patch was made as part of 2025.11-3ubuntu7 to update the Windows CA certificate for UEFI. Unfortunately, this is not enough yet to patch for all Secure Boot cert changes for driver signing, etc. as well. According to https://support.microsoft.com/en-us/topic/windows-secure- boot-certificate-expiration-and-ca- updates-7ff40d33-95dc-4c3c-8725-a9b95457578e there are a total of **three items** that need to be updated completely to match Secure Boot requirements. --- * Windows UEFI CA 2023 * Microsoft Option ROM UEFI CA 2023 * Microsoft Corporation KEK 2K CA 2023 --- The OVMF firmware patch here in Ubuntu adds the first of these certificates to the OVMF secvars. However, the remaining two certificates are NOT updated in the system - the KEK certificate is not updated nor in KEK by default (not sure if this is doable with secvars), and the Option ROM UEFI is used for third-party option ROMs and needs updated too. Basic Windows clients will work with the base UEFI CA 2023 certificate. Servers installed with the option ROM however will not function without that additional UEFI CA certificate for the option ROM. To quote the Microsoft article: > You may need to take action to ensure that your Windows device remains secure when the certificates expire in 2026. Both UEFI Secure Boot DB and KEK need to be updated with the corresponding new 2023 certificate versions. --- The patch should be *expanded* to update the two remaining certificates in the secvars and DB and KEK stores if we can. This should be done ASAP, because of the June 2026 expiration dates. (As such I am giving this a High severity) ** Affects: edk2 (Ubuntu) Importance: High Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2151826 Title: OVMF certificates and keys not fully updated by latest patches To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2151826/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
