Background
I'm a member of the EFI team in Debian, and I've done much of the
work for Debian to support UEFI Secure Boot (SB) in recent years. We
have included that support for a number of releases now, starting back
with Debian 10 (aka Buster).
I'm also a long-time accredited member of
the shim-review
team, the group that checks and approves shim binaries before
Microsoft will sign them.
See the Debian
wiki for lots of background details about Secure Boot and how we
do things in Debian.
Secure Boot depends on signatures, which are verified during boot
using a chain of X.509 certificates. The root certificate(s) in the
chain are embedded in computer firmware, then later software such as
shim can add more certificates to extend the trust. Easy, right?
The problem - certificates expire...
Microsoft administer the most widespread Secure Boot root
certificates, and have been doing so since the very beginning of UEFI
Secure Boot as a concept. The Microsoft UEFI CA certificates are
included in just about every x86 and x86-64 computer shipped, and also
in quite a lot of arm64 machines too.
(The fact that Microsoft is therefore a gatekeeper for Linux
running under Secure Boot on most machines is very unpopular in some
quarters, but this is just a fact of life in the world we live
in. None of the following will affect you if you're using
Secure Boot with your own keys only.)
The current certificates have been around since 2011:
1. Windows Production PCA 2011 (used for signing Windows components)
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011
Validity
Not Before: Oct 19 18:41:42 2011 GMT
Not After : Oct 19 18:51:42 2026 GMT
This expires in October this year, ~5 months from now.
2. Third Party Marketplace Root (used for signing option ROMs and other software)
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
Validity
Not Before: Jun 27 21:22:45 2011 GMT
Not After : Jun 27 21:32:45 2026 GMT
For Linux folks, this second certificate is more interesting - it
is the root of the certificate chain that Microsoft use when
signing shim for Linux
distributions
This CA expires 5 weeks from today.
OMG!!! Will all my existing Secure Boot machines stop booting?
Almost definitely not, no.
The specification for UEFI Secure Boot expects that valid dates on
certificates should not be enforced for signatures here. All that
matters here is the signatures themselves. Modulo buggy firmware,
existing signed binaries should continue just fine.
New CAs to be aware of
Microsoft have published three new CAs:
1. A new CA used for signing device option ROMs
Subject: C=US, O=Microsoft Corporation, CN=Microsoft Option ROM UEFI CA 2023
Validity
Not Before: Oct 26 19:02:20 2023 GMT
Not After : Oct 26 19:12:20 2038 GMT
2. A new CA used for signing Windows components
Subject: C=US, O=Microsoft Corporation, CN=Windows UEFI CA 2023
Validity
Not Before: Jun 13 18:58:29 2023 GMT
Not After : Jun 13 19:08:29 2035 GMT
3. A new CA used for signing other software (e.g. shim)
Subject: C=US, O=Microsoft Corporation, CN=Microsoft UEFI CA 2023
Validity
Not Before: Jun 13 19:21:47 2023 GMT
Not After : Jun 13 19:31:47 2038 GMT
New machines and updated older machines will most
likely have all of these new CAs installed. New machines are
already shipping that only include the new CAs; they
will not trust older software and this has already started causing
problems for some users.
Isn't this is all a bit short notice?
Yes it is. :-(
A common rule of thumb when deploying CA certificates is to start
the process of replacement ("rollover") when a certificate reaches
half of its lifetime. Unfortunately, Microsoft have done this very
late. They generated new keys in 2023, but didn't start signing shim
and other third-party software with the UEFI CA until October
2025.
If I'm a distro developer, what should I do?
If you already have an old shim signed by Microsoft for your
distribution from before October 2025, then it will only be signed
using the older CA that expires soon. On newer machines, your users
will already not be able to boot your distro with Secure Boot
enabled.
If you want your users to be able to use Secure Boot in future, you
will need to get a new shim build submitted, reviewed and signed using
the new CA. However, that signed build will not work on older machines
unless they have had the new CAs installed. This is also likely to
cause problems for some users. You should encourage your users to
update their systems NOW before things break for
them.
There is an interim solution which will work, but only if you're
quick! Microsoft are currently returning shim binaries signed
using both the old CA and the new CA. More
specifically, for every binary that is submitted they will return two:
one signed with each CA. If you use these directly, you'll need to
plan to publish:
- 2 signed shim binaries
- 2 installers
- 2 sets of live/installer images
- etc.
and explain to your users how they'll need to pick one. Good luck
with that!
However, it is possible to extract signatures from
those signed shim binaries and attach them all onto one shim, giving
you the Holy Grail here - a single shim that will boot on the vast
majority of machines. Indeed, this is what I'm planning on doing in
Debian. So-called "dual-signed" shims may provoke
issues with buggy firmware, so be aware that you may have to deal with
this too. But take heart: early testing by various distro folks with a
dual-signed Fedora shim did not show any problems.
You have 5 weeks and counting...
Microsoft have promised to continue signing with the old CA as long
as possible, right up to the last day. They understand how awkward
things are going to be otherwise, and are trying to help here as much
as possible.
In the shim-review team, we have been expecting to see a surge of
shim submissions before the old CA expires, to make the most of the
"Holy Grail" dual-signed shims described above. But we've been really
surprised that this has not been happening.
So, this blog is a wake-up call for people doing Secure Boot with
shim. Even if you're not going to be ready to ship a new shim binary
to your users, you should really try to get a new build prepared and
signed NOW so that you have it available to tide you
over through the coming CA transition. Don't leave it too late.
If you're not sure what to do, ask me and the other shim-review
folks. We're happy to give advice. But don't delay.
You have 5 weeks and counting.
How to make a dual-signed shim binary
Microsoft only ship binaries with a single signature included. To
make things work, extract those signatures using sbattach
--detach (from the sbsigntools source package, available in
most distributions. Then apply those signatures one at a time to your
shim binary, using sbattach --attach. Simple,
really. There's one strong recommendation here: order the signatures
on your shim oldest first - that way, old buggy
firmware implementations that potentially don't look for more than one
signature will find the old signature first.
pesign can also handle moving signatures around, but I
chose sbsigntools when doing this work myself.
If you're looking to see how others handle multiple signed shim
binaries, feel free to look at the Debian shim-signed
package for examples. The repo
is https://salsa.debian.org/efi-team/shim-signed.git.
References
I'll add more links here in the coming weeks.
Log in
