Which Linux distro are you using?
Linux Mint
Which release version?
(if rolling release without a release version, skip this question)
22.3 (Zena)
(If rolling release, last date updated?)
Which kernel are you using?
6.8.0-94-generic
Which BIOS version are you using?
3.19
Which Framework Laptop 13 model are you using? (AMD Ryzen™ AI 300 Series, AMD Ryzen™ 7040 Series, Intel® Core™ Ultra Series 1, 13th Gen Intel® Core™ , 12th Gen Intel® Core™, 11th Gen Intel® Core™)
12th Gen Intel® Core™
Question: BIOS 3.19 contains enhancement:
“Added Framework’s dbx key and updated the default CA of Windows Secure Boot to Microsoft UEFI CA 2023.”
(see: Framework Laptop (12th Gen Intel® Core™) BIOS und Treiber Veröffentlichungen )
After installing the update and verifying the installation from the OS with dmidecode, I used mokutil to check the contents of the pk, kek and db. Apart from the keys of the manufacturer frame.work, the databases contain:
-
pk: nothing else
-
kek:
- Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation KEK CA 2011
- Not After : Jun 24 20:51:29 2026 GMT
- Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root
- serial: 61:0a:d1:88:00:00:00:00:00:03
- Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation KEK CA 2011
-
db:
- Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011
- Not After : Oct 19 18:51:42 2026 GMT
- Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010
- serial: 61:07:76:56:00:00:00:00:00:08
- Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
- Not After : Jun 27 21:32:45 2026 GMT
- Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root
- serial: 61:08:d3:c4:00:00:00:00:00:04
- ans an entry "[key4]”, which does not seem to be a certificate (according to “mokutil –db”)
[key 4] [sha256] 7fed86aed032194bacdc474d31707df57946830f09cb5981a2974c3f97e12b3b 3709c5a882490fa5b9b7a471f3466341da4267060419491954324d3bfb6aa0c6 bf6b6dfdb1f6435a81e4808db7f846d86d170566e4753d4384fdab6504be4fb9 - Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011
So for me it seems, that the newer 2023 keys of Microsoft, needed later this year when new shims might be used, are not in the kek and db databases yet - despite the BIOS changelog mentioning them.
Is it necessary to call “Restore Secure Boot to Factory Settings” in the BIOS to get the new (and hopefully also the old) keys? Is it also necessary to call “Erase all Secure Boot Settings” before (I guess “no”)?
An indication, that the restore is needed, is provided by the efivars. Usig the “strings” command on /sys/firmware/efi/efivars/dbDefault-8be4df61-93ca-11d2-aa0d-00e098032b8c shows hits like
Windows UEFI CA 2023
Microsoft UEFI CA 2023
Microsoft Option ROM UEFI CA 2023
and
Microsoft Root Certificate Authority 2010
Microsoft Windows Production PCA 2011
Microsoft Corporation UEFI CA 2011
Microsoft Root Certificate Authority 2010
but for /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f I can only find
Microsoft Root Certificate Authority 2010
Microsoft Windows Production PCA 2011
Microsoft Corporation UEFI CA 2011
Thanks for any hints. If the factory defaults restore is needed, it should be added to the BIOS information page as a needed post-installation step.
BTW: I couldn’t find a BIOS users guide, except for the community provided one:
Thanks and best regards!