[UPDATED]: Microsoft UEFI Signing Requirements
To strengthen the Secure Boot ecosystem and streamline signing turnaround, Microsoft is introducing enhanced UEFI signing requirements for all third-party submissions requesting signatures with Microsoft UEFI CAs (2011 and 2023) or the new Option ROM CA. These updates emphasize security assurance and interoperability across UEFI-enabled devices. Key changes include: Mandatory security audits: Annual independent reviews via the OCP SAFE program, with immediate audits for vulnerabilities or major code changes. Subsystem-based packaging: EFI Applications and Option ROMs must be submitted separately for proper certificate alignment; mixed packaging will be rejected. Stricter code eligibility: Only production-quality binaries, free of GPLv3 licensing, free of known vulnerabilities, and free of malware-prone components will be signed. Enhanced security posture: Requirements for NX compatibility, memory safety, and SBOM inclusion in PE sections are now enforced. Special handling for SHIM and iPXE: SHIM submissions require review board approval or SAFE audits; iPXE submissions must meet additional security criteria.