Event details
Thanks to all participants of yesterday's panel for the explanations.
There were a lot of questions regarding the tools and possible scenarios.
For a better understanding, I/we are however still missing what is REALLY going on with the certificate updates
As said in the video, whatever tool used for the update of the 2023's certificates, it is pointing to same registry keys. From my understanding, those keys are defining the status of the update.
Scott clearly mentioned in the video that the OS can only modify the "active" certificates, while the "default" certificates in the firmware can only be updated by a firmware update provided by the mainboard's manufacturer. During the update from Windows,
What is exactly done on the EFI partition on the hard drive? Which files get modified?
What is written to the UEFI firmware ? Should be the KEK and DB, but what if the firmware is partially "readonly" (e.g. not allowing KEK update) ?
Maybe, Scott Shell, could you elaborate a bit? Or better, link an article with the deeper technical details? Most of the technical details are already in the playbook and https://support.microsoft.com/en-us/topic/secure-boot-certificate-updates-guidance-for-it-professionals-and-organizations-e2b43f9f-b424-42df-bc6a-8476db65ab2f but without the deeper detail on the EFI.
Above all tools, knowing what is modified could help advanced people to troubleshoot.
I am especially thinking of all older PC than can NOT have a firmware update and will face the possible mismatch of "half" update (one side with 2011 certificate, other with 2023). Those were partially mentioned during the video.
I am very aware that most of the discussion is related to professional users with supported computers. And that owner of older unsupported PC "may want to renew their machine".
However, plenty of older PC can still be used for other purpose, either on Win10 ESU, Windows LTSC, Linux or whatever OS. So it would be very helpful to be able to know what is going on before throwing those PC in the garbage.
Eventually, for older unsupported computers with possible certificate mismatches, what about disabling SecureBoot completely? Isn't is a better recommendation?
About files: In C:\Windows\Boot you will find EFI\bootmgfw.efi and EFI_EX\bootmgfw.efi. The first is signed with 2011 and the second with 2023 certificates. This file exists at up to two places in your EFI partition (depending on how exactly the boot variables are set within UEFI). \EFI\boot\bootx64.efi and \EFI\Microsoft\boot\bootmgfw.efi.
Whichever one or two of these files exist, they will be initially the first EFI file, and replaced by the EFI_EX files.
In the firmware, there are named slots, called Variables, which are updated in this process. When secure boot is active, there are restrictions intact that control which variables can be updated from the Operating System. And each of this updates needs to be cryptographically signed by a key that is already mentioned in these variables. In properly implemented Secure Boot UEFI, the PK and KEK variables can only be updated if the update is signed with a key in the PK variable (Platform Key), and the DB and DBX variables can only be updated if the update is signed with a key in the KEK variable.
Also, if TPM is used and sealed against PCR7, the TPM keys will be resealed against the new PCR7 value derived from the new certificates, at the same time when the variables are updated.
Some firmware versions have bugs, like PK or KEK being readonly, or KEK cannot be updated since Microsoft did not receive a signed EFI variable update for that PK (e.g. because the vendor lost it or no longer exists).
In many cases, there are manual workarounds. For example, the firmware setup may provide a menu where you can manually enroll a PK or a KEK. In this case, if enrolling the KEK works there, it is the easiest workaround. (Suspend Bitlocker, if used, before you do anything in firmware setup since it may reset the TPM).
Or it provides a "Setup Mode" where Secure Boot is active but variables are not protected, so you can use third-party tools to enroll the KEK, and afterwards disable Setup Mode again.
Others only provide a single option that will clear all 4 variables, and enroll a new PK only. In that case, you will need third-party tools to sign the KEKs you want to use with the PK, and the DB and DBX content with a KEK (maybe a third KEK you add yourself), and then you can fill the variables again with these updates. After that,, Windows will be happy and work securely again. Just make sure you don't keep your PK secret key on the machine where an attacker could steal it (as in that case you could just turn of Secure Boot and are not off worse). And make sure not to forget any DB or KEK content needed by the firmware or other hardware, or you may have "bricked" your device if you cannot enter UEFI setup any longer.
The last two options are obviously only for people who like to tinker with their hardware and invest some time in them. The same kind of people who brag with using Arch Linux :-P. By the way, the Arch Linux wiki has a good explanation how to set up secure boot completely from scratch, with or without Microsoft keys, so maybe their wiki is for you :)
In any case, for the foreseeable future, having a system that has secure boot enabled but expired KEK only (or even expired KEK and expired DB) is still more secure than secure boot off, as it will properly protect agaisnt a lot of old attacks. It will not protect against new attacks, but disabled Secure Boot will neither.
There may come a point when the old boot manager lacks features you want to use, and only in this case you'd have to bite the bullet and disable Secure Boot.
I know, many technical details in very condensed form. Probably it gives you some basic understanding and you can find the details on the Internet (or in the Secure Boot specification), or just ask again :)
thanks for the explanations!
In one machine from 2013 already mentioned in an earlier comment some weeks ago with an Asrock mainboard, it seems it does NOT have a "properly implemented Secure Boot UEFI" since the KEK seems readonly, and there is no way to add certificates from the firmware. On that machine, I will stay with the 2011's certificates with SecureBoot enabled as long as I am using Windows on that machine (currently win10 Pro on ESU, so only for 2026). In case of more trouble, I can always disable the SecureBoot.
More challenging is for the bootable USB key I am using for different PC. I will likely keep the EFI files with 2011's certificates there. It seems more compatible across machines.You are very welcome.
The requirements for "properly implemented Secure boot" on x64 platform are pretty low
- It must be possible to turn it off
- It must provide some way to change the Platform Key. Minimally that would be either a "Setup Mode" where all variables are unprotected, or an option to upload a Platform Key and clear the others 3 variables, or an option to clear all variables with the additional requirement that if a variable is empty it means "allow all" and not "deny all".
All other options are for convenience. I understand that nobody likes to create their own platform key, sign everything with that and use third party tools to update the variables. Also, some motherboards have enrolled their own keys to DB and it may brick the machine (allow neither boot nor enter UEFI setup) if the DB is non-empty and does not contain them.
Therefore I agree you are better off not to mess with that machine, especially since you will repurpose it for another OS this year anyway.
And yes, I agree for recovery media you carry around in your purse to help others, it is currently best option to have bootloaders signed by Microsoft 2011 certificates.
The USB key I am currently carrying with me (powering various WinRE versions, Ubuntu, Grml and more recovery tools) is using Linux Foundation's Preloader, which has the disadvantage you need to manually confirm you want to boot on every reboot from it, and also since it is signed with Microsoft's 2011 Third-Party CA, some more recent machines do not longer ship the required certificates for that. Using Microsoft's certificate (i.e. have Microsoft's boot menu first with an option to boot other OS that would then load GRUB) is not an option since for recent boot managers (starting from Win10 RTM or so) it is impossible to chainload the Linux Foundation Preloader from bootmgr.
But if all you have on your media is Windows bootloader bootable stuff, the MS 2011 certificate would be my choice for now, too.