Automatic update of Microsoft KEK

[spacix]

Device Information

System Model or SKU

• Framework Laptop 16 (AMD Ryzen™ 7040 Series)

BIOS VERSION

SMBIOSBIOSVersion
04.03

The following are for Laptop 16 only.
GPU: Nvidia 5070
Cards: three USB Type C, two USB type A, 3.5mm audio

Standalone Operation (Laptop Only)

Are you running your mainboard as a standalone device. Is standalone mode enabled in the BIOS?
No

Describe the bug

Framework Laptop 16 7040 BIOS series firmware version 4.03 is using expiring certificates from 2011 and need to be updated to the 2023 certificates per KB5062710

Steps To Reproduce

Steps to reproduce the behavior:

1. Go to UEFI Settings
2. Open Administer Secure boot
3. Open the KEK Options
4. See the cert as shown below

01. [PKCS7] Microsoft Corporation KEK CA 2011
KEK Signature List:
Owner_GUID: 77FA9ABD-0359-4D32-BD60-28F4E 78F 784B

Expected behavior

The key I'm expcting to see is:
Microsoft Corporation KEK 2K CA 2023
SHA-1 cert hash: 459AB6FB5E284D272D5E3E6ABC8ED663829D632B.
SignatureOwner GUID: {77fa9abd-0359-4d32-bd60-28f4e78f784b}.

Screenshots

Operating System (please complete the following information):

• OS/Distribution: Windows 11
• Version: 25H2

Additional context

N/A

[spacix]

Don't think I have permissions to add/edit the labels

[jakesullyneytiri]

This is only legit for windows 10 atm.

According to Microsoft only windows 10 will be affected by June or July when secure boot certificate expires, but that will be solved through a windows update that will update the certificate with a new one and is not a bios related issue.

Once you install required windows update it will apply certificate to the bios through windows or so.

Windows 11 is not affected by this secure boot certificate expiration.

Update 1: ah you are referring to feature auto update certificate for secure boot in bios is not supported.

My bad, I thought you where referring about you wanting certificate to be added to bios by framework.

Update 2: interesting, after googling it up, it now says windows 11 is also affected. All I saw was windows 10 was affected on tons of articles, but now I see they are putting windows 10 as high priority for this since it has less updates.

Makes sense then, since that explains why I never saw articles stating it affects also windows 11.

[JohnAZoidberg]

It's a complicated situation - TLDR: You are right, we should and we will add support for Microsoft updating their KEK, but in practice nothing bad will happen.

To get the all the latest secureboot keys, do:

1. If on Windows, make sure to suspend bitlocker to avoid having to do the recovery
2. Go to F2 BIOS menu, select "Administer Secure Boot" and then select "Restore Secure Boot to Factory Settings"
3. After reboot into Windows resume bitlocker again for full protection, if desired

Let me share some facts:

• The KEK is not used for checking signatures of the OS, drivers or anything else at runtime. So an outdated KEK does not have any impact on being able to boot or not.
• Microsoft's DB key is used to sign Windows so that is included in every OEM's BIOS
• The Microsoft 2011 DB key expires this summer
• We have confirmed with Microsoft that they have not started signing with their 2023 key, that means
• Once the 2011 key expires likely nothing will break because nothing in the BIOS checks expiration date. I am confirming with Microsoft if anything on their side checks it. Most likely not, because they don't want to brick people's systems.
• We have started including both Microsofts 2011 and 2023 DB and KEK keys in our BIOS updates
• BIOS updates to not update the active DB or KEK keys because that will cause bitlocker recovery
• BIOS updates only update the default DB and KEK keys - you can enable those as your active keys by going into the BIOS settings and restoring to factory default secureboot keys.
• Automatic update of Microsoft DB and KEK keys is in progress by us - you will see once it's done by looking at https://github.com/microsoft/secureboot_objects/tree/main/PostSignedObjects/KEK

[JohnAZoidberg]

I confirmed with Microsoft again that outdated and expired secureboot keys will never make windows not be able to boot, it may just prevent windows from receiving OS updates.