TIL that a bunch of the Microsoft UEFI CA certificates are expiring in 2026 (October I think; page 8 of PDF linked). They’ll be ~15 years old by then so I kinda understand why they’re expiring. But OTOH they’ve never expired before or been updated in firmware world wide at scale before, so… 😬🍿
(Via 38C3 talk on getting into Bitlocker drive on Windows Home via bootloader downgrade attack and PXE booting.)
https://uefi.org/sites/default/files/resources/Evolving%20the%20Secure%20Boot%20Ecosystem_Flick%20and%20Sutherland.pdf
https://media.ccc.de/v/38c3-windows-bitlocker-screwed-without-a-screwdriver
=> More informations about this toot | More toots from ewenmcneill@cloudisland.nz
FTR this will also affect the secure booting of Linux, as (inexplicably) all the Linux distros agreed to let Microsoft be the signing authority for UEFI booting of Linux too. (Linux “shim” updates are signed with the Microsoft Third Party CA, it also expires in 2026.)
It looks like Microsoft are extremely keen that only Windows updated the UEFI keys (so they can predictively resign the bitlocker key). And there’s lots of “OEM must push Firmware” cases, so end of support devices may be… stuck.
=> More informations about this toot | More toots from ewenmcneill@cloudisland.nz
@ewenmcneill IMHO #CensorBoit and #TPM are big-ass downgrades in terms of #Sustainability and #Security.
=> More informations about this toot | More toots from kkarhan@infosec.space
@ewenmcneill Microsoft have a guide to manually enableing this if you wish to test just be aware that after updating it will only boot bootmgfw.efi signed by the 2023 cert. Shim uses the thirdparty cert and I dont think secure boot actually cares about the date so linux will continue to work fine afaik https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d
=> More informations about this toot | More toots from en4rab@infosec.exchange
@ewenmcneill I just tried following the guide to enable the new cert/bootloader on my Dell T5610 running windows 11 24H2 for some saturday night YOLO fun (secureboot on and has TPM1.2 so fiddeling has been done to install it) and its now booting with a 2023 signed bootloader and the 2011 cert is in the dbx
=> View attached media | View attached media
=> More informations about this toot | More toots from en4rab@infosec.exchange
@en4rab thanks for the details and link!
For the Linux boot shim, it’s encouraging that it might still boot “as is” after October 2026 (if as you suggest secure boot doesn’t actually check the CA chain for expiry).
But I expect the Microsoft Third Party CA expiring will affect Microsoft’s ability to sign new “shim” releases with the old cert (and/or their willingness to do so). So I’m anticipating Linux systems with secure boot will have to upgrade trusted CAs in the firmware at some point.
=> More informations about this toot | More toots from ewenmcneill@cloudisland.nz
@ewenmcneill I think they can always push a db update to include a new thirdparty cert in the db and then both the old and new third party signed shims would work. Linux users can apply uefi updates using fwupdmgr so I dont think there is any reason they couldnt apply a db update signed by microsoft to include a new key
=> More informations about this toot | More toots from en4rab@infosec.exchange This content has been proxied by September (ba2dc).Proxy Information
text/gemini