Event details
- In a situation where the KEK certificate does expire can we get a clearer idea as to the actual impact? It’s stated that new binaries will not be accepted into the authorized signature database however older previously signed binaries will still be trusted. This confuses me, because the wording of the boot process in regards to secure boot certificates implies that the signatures of trusted binaries is checked every single time.
- Products that use kernel level drivers rely on WHQL microsoft signed drivers that appear to be reliant on the secure boot certificate chain. What is the impact to these tools if the primary KEK certificate is expired?
- What is the status from Microsofts perspective on ongoing efforts with OEMs (i.e. VMWare) to figure out automation of PK certificate rollouts?
Arden_White
Microsoft
Microsoft- The KEK certificate/keys signs updates to the DB and DBX. The DB updates to apply the new certificates are signed with the Microsoft Corporation KEK CA 2011 which the device trusts. Moving to the new certificates, even after the 2011 KEK expires should still work. New security updates to the DBX will be signed with the Microsoft Corporation KEK 2K CA 2023. If the firmware does not trust the 2023 KEK, the new DBX updates will fail to apply. During boot, the KEK is not used for validating binaries - only the contents of the DBX and DB are used.
- The KEK is not used to validate WHQL signed drivers. It is only used to validate updates to the DB and DBX. The firmware does not care that the certificates have expired. The issue is the need for key rotation as a good security practice and because Microsoft cannot sign with expired keys.
- I am aware of Microsoft and Broadcom-VMware working together, but I don't know the details.