[Bug]: 2023 UEFI CA DB update payload is missing #203
Description
Is there an existing issue for this?
- I have searched existing issues
Current Behavior
The PostSignedObjects/Optional/DB/*/DBUpdate2024.bin files seem to be the Microsoft Windows UEFI CA, but in Linux IIUC we need to deploy the Microsoft UEFI CA (i.e. no Windows prefix) as an update so that we can deploy a shim signed with the new 3rd party cert.
Expected Behavior
I expected there to be something like PostSignedObjects/UEFI/DB/*/DBUpdate2023.bin or PostSignedObjects/3rdParty/DB/*/DBUpdate2023.bin that we can use in Linux to deploy. The certificate I'm specifically looking for is CRT_7CD7437C555F89E7C2B50E21937E420C4E583E80.
Steps To Reproduce
On the "old db" system:
└─UEFI Signature Database:
├─UEFI CA:
│ Current version: 2011
│ Vendor: Microsoft (UEFI:Microsoft)
│ GUIDs: 26f42cba-9bf6-5365-802b-e250eb757e96 ← UEFI\VENDOR_Microsoft&NAME_Microsoft-UEFI-CA
│ c34a7e6a-bd86-5244-8bd0-7db66fd3c073 ← UEFI\CRT_E30CF09DABEAB32A6E3B07A7135245DE05FFB658
│
└─Windows Production PCA:
Current version: 2011
Vendor: Microsoft (UEFI:Microsoft)
GUIDs: 675d2184-6c9a-59f1-a6f1-3c229b5dbb79 ← UEFI\VENDOR_Microsoft&NAME_Microsoft-Windows-Production-PCA
0611d85d-99a4-5c50-8c17-fc5196226f85 ← UEFI\CRT_1A8B6903D64CC9AD09D12FCB355663A458A09EF0
On the "new db" system:
└─UEFI Signature Database:
├─UEFI CA:
│ Current version: 2023
│ Vendor: Microsoft (UEFI:Microsoft)
│ GUIDs: 26f42cba-9bf6-5365-802b-e250eb757e96 ← UEFI\VENDOR_Microsoft&NAME_Microsoft-UEFI-CA
│ 308281c7-d0c5-52e0-8c1a-810540de03df ← UEFI\CRT_7CD7437C555F89E7C2B50E21937E420C4E583E80
│
└─Windows UEFI CA:
Device ID: d7ef2946da0086dd0a2c548964c394b4a6e37c5f
Current version: 2023
Vendor: Microsoft (UEFI:Microsoft)
GUIDs: 914015a8-9d92-5462-9a9b-f2b361e4faae ← UEFI\VENDOR_Microsoft&NAME_Windows-UEFI-CA
89a825bf-78b5-5f1c-905b-e982b2f02584 ← UEFI\CRT_A794240D25F0CCB2EC8142DC2F7411890717DEAD
...now i thought the PostSignedObjects db would be the UEFI CA update (or both), but alas:
$ fwupdtool firmware-parse PostSignedObjects/Optional/DB/x86/DBUpdate2024.bin efi-variable-authentication2
<firmware gtype="FuEfiVariableAuthentication2">
<signers>
<firmware gtype="FuX509Certificate">
<id>c6b6c0150043c6f1f7c953ed62d669ffe9255e9d</id>
<issuer>C=US,ST=Washington,L=Redmond,O=Microsoft Corporation,CN=Microsoft Corporation KEK CA 2011</issuer>
<subject>C=US,ST=Washington,L=Redmond,O=Microsoft Corporation,CN=Microsoft Windows UEFI Key Exchange Key</subject>
</firmware>
<firmware gtype="FuX509Certificate">
<id>9f402b1cc0243cbedc58a525789816ccca7687a9</id>
<issuer>C=US,ST=Washington,L=Redmond,O=Microsoft Corporation,CN=Microsoft Corporation Third Party Marketplace Root</issuer>
<subject>C=US,ST=Washington,L=Redmond,O=Microsoft Corporation,CN=Microsoft Corporation KEK CA 2011</subject>
</firmware>
</signers>
<firmware gtype="FuEfiX509Signature">
<id>a794240d25f0ccb2ec8142dc2f7411890717dead</id>
<version>2023</version>
<issuer>C=US,ST=Washington,L=Redmond,O=Microsoft Corporation,CN=Microsoft Root Certificate Authority 2010</issuer>
<subject>C=US,O=Microsoft Corporation,CN=Windows UEFI CA 2023</subject>
</firmware>
</firmware>
Thanks!
Build Environment
- OS(s): Linux (all)
- Tool Chain(s): n/a
- Targets Impacted: allVersion Information
Commit: 3d71b6ff0d9ed209a93adb48cf433f749c7196b0
Urgency
Medium
Are you going to fix this?
Someone else needs to fix it
Do you need maintainer feedback?
Maintainer feedback requested
Anything else?
No response