As I’ve just seen yet another article about that, I was wondering if the current BIOS versions already do include the new keys from Microsoft as the current keys are about to become invalid. Sadly, the knowledge base doesn’t list anything, as searching for topics about this doesn’t reveal anything. And since this will break especially Win11 installs, as that’s most likely to not wanting to boot when disabling secure boot, an urgent message to update to the latest BIOS version that includes the new keys might be in order, as I would be surprised when there won’t be many people completely surprised by the old keys becoming invalid on September 11th.
This just popped up on my Fedora 42 system, is it the same thing?
$ fwupdmgr get-updates
Devices with no available firmware updates:
• HDMI Expansion Card
• KEK CA
• SBAT
• SSD 990 PRO 2TB
• TPS DMC Family
• TPS6598X PD#0
• TPS6598X PD#1
• USB3.0 Hub
• Windows Production PCA
• frame.work-LaptopAMDDB
• frame.work-LaptopAMDKEK
Devices with the latest available firmware version:
• UEFI dbx
• Fingerprint Sensor
• System Firmware
Framework Laptop 13 (AMD Ryzen 7040Series)
│
└─UEFI CA:
│ Device ID: 5bc922b7bd1adb5b6f99592611404036bd9f42d0
│ Current version: 2011
│ Vendor: Microsoft (UEFI:Microsoft)
│ GUIDs: 26f42cba-9bf6-5365-802b-e250eb757e96 ← UEFI\VENDOR_Microsoft&NAME_Microsoft-UEFI-CA
│ c34a7e6a-bd86-5244-8bd0-7db66fd3c073 ← UEFI\CRT_E30CF09DABEAB32A6E3B07A7135245DE05FFB658
│ Device Flags: • Internal device
│ • Updatable
│ • Supported on remote server
│ • Needs a reboot after installation
│ • Full disk encryption secrets may be invalidated when updating
│ • Signed Payload
│ • Can tag for emulation
│
└─Secure Boot Signature Database Configuration Update:
New version: 2023
Remote ID: lvfs
Release ID: 116503
Summary: UEFI Secure Boot Signature Database
License: Proprietary
Size: 10.0 kB
Created: 2025-04-29
Urgency: High
Vendor: Linux Foundation
Release Flags: • Trusted metadata
• Is upgrade
Description:
This updates the 3rd Party UEFI Signature Database (the "db") to the latest release from Microsoft. It also adds the latest OptionROM UEFI Signature Database update.
Checksum: 0bc3c04d084462991ee96c2fed91bbf27ead45491b590e1eb20abdd73148fb12
That could be possible, but I can’t say for sure. Something like that would have to be verified by Framework (as I don’t think this will be shipped by MS directly, as for all I know a vendor specific key would be needed to update these without a BIOS update. But the description sounds like this is related.
The UEFI 2023 certificates were already present out of the box for my Framework 13 (AI 300), so it looks like Framework’s been including them in their recent firmware (BIOS) versions.
How can you tell though? I think that’s the main point of my post, people should know that they need this update and they need it soon, and how to tell if it’s present or not.
If you boot into UEFI settings and go to the “Administer Secure Boot” page (might be named differently on different models), you can check the current KEK and DB lists for entries that looking like “Microsoft ______ CA 2023” or “Windows ________ CA 2023”. If those are present you’re good, if only the old 2011 entries are present then your current BIOS version doesn’t include them.
The signing key expiring in September does not affect Windows though it only affects Linux distributions that use Microsoft’s key to sign their Secure Boot shims.
Under Administer Secure Boot > KEK Options I see “Microsoft Corporation KEK CA 2011” and “frame.work-LaptopAMDKEK”. DB options also only shows 2011.
And no, this does not affect only Linux. Because the entire keychain is being replaced, this does affect the entirety of Secure Boot - except when you’re rolling your own keys. Though the immediate “fallout” in September will only affect Linux, you’re right. Windows users are safe until June next year. Though, if you are on Windows 11 and don’t have the newer keys already, this month’s cumulative update is said to display warnings about this, so while indeed this isn’t as urgent for them, questions will pop up.
probably a dupe of Secure Boot and Expiring Microsoft Keys - #4 by next_to_utter_chaos
In contrary to @next_to_utter_chaos (here: Secure Boot and Expiring Microsoft Keys - #4 by next_to_utter_chaos ) I am not offered the new keys.
And they are not yet there as this commands does not return anything:
sudo efi-readvar -v db | grep "UEFI CA 2023"
I just can confirm existence of the old 2011 keys:
└─▶ $ sudo efi-readvar -v db | grep 2011
C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011
C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
Yesterday my OS (KDE Neon noble amd64) got a BIOS update:
System Firmware (0.0.3.5 → 0.0.3.18)
That’s odd. I got that update like 3 days ago on my FW16 through fwupdmgr.
sudo efi-readvar -v db | grep “UEFI CA”
C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
C=US, O=Microsoft Corporation, CN=Microsoft UEFI CA 2023
C=US, O=Microsoft Corporation, CN=Microsoft Option ROM UEFI CA 2023
My guess is you have different platforms. Or do you also have the Ryzen 7040 series FW13?
Thanks for your reply. It indeed is a different platform. 12th gen Intel from Q1 2023. Hope they don’t forget to update the older devices.
12th Gen Intel from Q3 2022 here, running (mainly) Archlinux (so that might be the difference).
efi-readvar -v db | grep "UEFI CA" seems to hint that the keys got updated successfully by fwupdmgr update (and not already a little earlier by the most recent BIOS update to 3.18):
C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
C=US, O=Microsoft Corporation, CN=Microsoft UEFI CA 2023
C=US, O=Microsoft Corporation, CN=Microsoft Option ROM UEFI CA 2023
1 Like
still no update. do i need to do anything?
As long as you have at least fwupd v2.0.13, it should show up automatically. At least that’s the version I was running on my 7040 series FW16 when it arrived. This is that update: LVFS: Secure Boot Signature Database