Releases: microsoft/secureboot_objects
Release list
v1.6.5-signed
What's Changed
- Repo File Sync: Group Dependabot Prs and update to create-github-app-token@v3 by @mu-automation[bot] in #366
- [Secure Boot KEK Update] Adlink PK-Signed KEK Update by @Max-ad-Wu in #350
- GitHub Action: Bump actions/create-github-app-token from 2 to 3 by @dependabot[bot] in #363
- pip: bump the all-pip-dependencies group with 2 updates by @dependabot[bot] in #367
- pip: bump ruff from 0.15.6 to 0.15.7 in the all-pip-dependencies group by @dependabot[bot] in #373
- license: Drop prebuilt binaries license in favor of BSD-2-Clause-Patent by @chewi in #376
- pip: bump cryptography from 46.0.5 to 46.0.6 by @dependabot[bot] in #378
- Repo File Sync: Update to Mu DevOps v18.0.4 by @mu-automation[bot] in #379
- pip: bump the all-pip-dependencies group with 3 updates by @dependabot[bot] in #380
- Group/upload by @Flickdm in #383
- FEAT: Authenticated Variable Verification and KEK workflow by @Flickdm in #385
- GitHub Action: Bump the all-actions-dependencies group with 3 updates by @dependabot[bot] in #386
- Repo File Sync: Repo File Sync: Update workflows to 18.0.5 by @mu-automation[bot] in #387
- Upload: Uploading multiple submissions by @Flickdm in #390
- pip: bump edk2-pytool-library to 0.23.13, regex to 2026.4.4, ruff to 0.15.9 cryptography to 46.0.7 by @dependabot[bot] in #389
- [Secure Boot KEK Update] Adlink PK-Signed KEK Update by @Max-ad-Wu in #392
- Repo File Sync: Update github-script to v9 by @mu-automation[bot] in #395
- pip: bump cryptography from 46.0.6 to 46.0.7 by @dependabot[bot] in #391
- GitHub Action: Update prepare-binaries and validate-kek-updates to use actions/github-script 9, action-gh-release 3 by @dependabot[bot] in #394
- pip: bump ruff from 0.15.9 to 0.15.10 in the all-pip-dependencies group by @dependabot[bot] in #397
- Fix DBX JSON schema by @cjee21 in #381
- [Secure Boot KEK Update] Microsoft PK-Signed KEK Update by @Flickdm in #399
- Build: Detect and strip PKCS#7 ContentInfo wrappers in KEK updates by @Flickdm in #403
- pip: bump ruff from 0.15.10 to 0.15.11 by @dependabot[bot] in #401
- cleaning up error in SVN GUID by @SochiOgbuanya in #404
- pip: bumpruff to 0.15.12, cryptography to 47.0.0 by @dependabot[bot] in #405
- Fix: Update dbx_info_msft_latest.json to correct incorrect guids by @Flickdm in #406
- Repo File Sync: Update mu_devops to v18.0.6 by @mu-automation[bot] in #407
- pip: bump cryptography from 47.0.0 to 48.0.0 in the all-pip-dependencies group by @dependabot[bot] in #408
- Updating High Confidence Buckets for 5B Windows LCU by @SochiOgbuanya in #412
- Addressing missing bucket attribute information in 5B High confidence buckets csv by @SochiOgbuanya in #414
- pip: bump ruff from 0.15.12 to 0.15.13 by @dependabot[bot] in #418
- bump bootmgr SVN to 8 by @olkorsha in #415
- pip: bump ruff from 0.15.13 to 0.15.14 in the all-pip-dependencies group by @dependabot[bot] in #423
- pip: bump ruff from 0.15.14 to 0.15.15 in the all-pip-dependencies group by @dependabot[bot] in #427
- Repo File Sync: update mu_devops to v18.0.7 by @mu-automation[bot] in #435
- pip: bump ruff to 0.15.16, cryptography to 48.0.1 by @dependabot[bot] in #431
- pip: bump ruff to 0.15.17, pytest to 9.1.0, cryptography to 49.0.0 by @dependabot[bot] in #438
- GitHub Action: Bump actions/checkout from 6 to 7 by @dependabot[bot] in #439
- [CVE-2026-8863] bump bootmgfw svn to v9, add 12 new x64 dbx hashes by @olkorsha in #429
- Add 7 additional Microsoft Surface KEK update packages: by @jorticus-msft in #437
- pip: bump edk2-pytool-library to 0.23.15, ruff to 0.15.20, pytest to 9.1.1 by @dependabot[bot] in #441
- Fix bootmgr SVN dateOfLastChange and CVE description (#444) by @Flickdm in #445
- scripts: fix compute_authenticode_hash for unsigned PEs by @jeremy-compostella in #440
New Contributors
- @Max-ad-Wu made their first contribution in #350
- @chewi made their first contribution in #376
- @cjee21 made their first contribution in #381
- @olkorsha made their first contribution in #415
- @jorticus-msft made their first contribution in #437
- @jeremy-compostella made their first contribution in #440
Full Changelog: v1.6.4-signed...v1.6.5-signed
v1.6.5
What's Changed
-
scripts: fix compute\_authenticode\_hash for unsigned PEs @jeremy-compostella (#440)
Change Details
Β When the PE has no attached certificate the security data directory fields VirtualAddress and Size are both 0. The previous unconditional slicing:
pe_data[certificate_table_offset + 0x08 : 0] # -> empty + pe_data[0 + 0 :] # -> whole file re-appendedproduced a wrong digest for unsigned images.
Add an explicit branch: when VirtualAddress == 0, hash only the bytes that follow the 8-byte cert-dir data-directory entry, which is the correct tail of an unsigned PE image.
Description
When the PE has no attached certificate the security data directory
fields VirtualAddress and Size are both 0. The previous unconditional
slicing:pe_data[certificate_table_offset + 0x08 : 0] # -> empty + pe_data[0 + 0 :] # -> whole file re-appendedproduced a wrong digest for unsigned images.
How This Was Tested
Generate Authenticode for an unsigned EFI binary and verify successful verification once enrolled in the DB.
Integration Instructions
N/A
</blockquote> <hr> </details>
-
Fix bootmgr SVN dateOfLastChange and CVE description (#444) @Flickdm (#445)
Change Details
Β ## Description
The SVN bump from 8.0 to 9.0 (a728996) updated the value and version of the bootmgfw.efi SVN entry but left dateOfLastChange at the 8.0 date (2026-04-10) and the description at the old CVE (CVE-2023-24932).
Update both fields to match the June 9, 2026 KB5094126 rollout:
-
dateOfLastChange: 2026-04-10 -> 2026-05-21
-
description: CVE-2023-24932 -> CVE-2026-45654
-
Impacts functionality?
-
Impacts security?
-
Breaking change?
-
Includes tests?
-
Includes documentation?
How This Was Tested
verified that the json was valid
Integration Instructions
N/A
-
-
Add 7 additional Microsoft Surface KEK update packages: @jorticus-msft (#437)
Change Details
Β ## Description
Add KEK update binaries for the following Surface PK thumbprints:
-
PK19: 4484F86E (SH2 2022 UEFI PK Signer)
-
PK20: 999B48E3 (AFF UEFI PK CA 2015)
-
PK21: CB8F3251 (LFF 3 Firmware CA 2016)
-
PK22: 5EAE312B (LFF 3 UEFI PK Signer)
-
PK23: C35BFE0D (NFF UEFI PK Signer)
-
PK24: E8DFD45C (LFF 2 UEFI PK CA 2014)
-
PK25: F4BC8D56 (XLFF UEFI PK CA 2014)
-
Impacts functionality?
-
Impacts security?
-
Breaking change?
-
Includes tests?
-
Includes documentation?
How This Was Tested
Tested on Surface devices associated with each thumbprint. No adverse effects to SecureBoot, Secured Core, or Bitlocker.
Integration Instructions
N/A
</blockquote> <hr> </details> -
-
[CVE-2026-8863] bump bootmgfw svn to v9, add 12 new x64 dbx hashes @olkorsha (#429)
Change Details
Β ## Description
Bump bootmgfw svn to v9
Add 11 latest x64 dbx hashes
Add missing EasyFix hash from previous releasededupe and update DBXUpdateSVN.bin
update DBXUpdate.bin
-
Addressing missing bucket attribute information in 5B High confidence buckets csv @SochiOgbuanya (#414)
Change Details
Β
Description
Addressing missing bucket attribute information in 5B High confidence buckets csv
<Include a description of the change and why this change was made.>
Previous csv was missing: OEMModelSystemVersion,FirmwareManufacturer,FirmwareVersion,FirmwareReleaseDate
These files have been updated to include the full list of bucket attributes: BA_BucketId,OSArchitecture,OEMName,OEMManufacturerName,BaseBoardManufacturer,OEMModelSystemFamily,OEMModelBaseBoard,OEMModelBaseBoardVersion,OEMModelSKU,OEMModelNumber,OEMModelSystemVersion,FirmwareManufacturer,FirmwareVersion,FirmwareReleaseDate
For details on how to complete these options and their meaning refer to CONTRIBUTING.md.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested
<Describe the test(s) that were run to verify the changes.>
Integration Instructions
<Describe how these changes should be integrated. Use N/A if nothing is required.>
</blockquote> <hr> </details>
-
Updating High Confidence Buckets for 5B Windows LCU @SochiOgbuanya (#412)
Change Details
Β ## Description
Updated the high confidence buckets to include new bucket data shipped for 5B windows LCU. Files are too large for GitHub UI to compute diff.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested
N/A
Integration Instructions
N/A
-
cleaning up error in SVN GUID @SochiOgbuanya (#404)
Change Details
Β ## Description
<Include a description of the change and why this change was made.>
Updated the SVN GUID to address #377For details on how to complete these options and their meaning refer to CONTRIBUTING.md.
- [] Impacts functionality? No
- Impacts security? No
- Breaking change? No
- Includes tests? No
- Includes documentation? No
How This Was Tested
No test required
<Describe the test(s) that were run to verify the changes.>Integration Instructions
<Describe how these changes should be integrated. Use N/A if nothing is required.>
</blockquote> <hr> </details>
-
Build: Detect and strip PKCS#7 ContentInfo wrappers in KEK updates @Flickdm (#403)
Change Details
Β ## Description
Some KEK update files are generated with an outer ContentInfo SEQUENCE wrapping the SignedData blob. Older EDK2-based firmware expects raw SignedData directly in WIN_CERTIFICATE_UEFI_GUID.CertData; ContentInfo support was only added recently in:
tianocore/edk2@37d3eb0This is normally because the tool that used wanted to sign it in a "normal" way where the code in UEFI is anything but normal.
If we strip off the ContentInfo(..) we have a greater chance of supporting platforms stuck on older UEFI firmware.
So while not invalid - and for newer machines is fine - older firmware may pose an issue.
For details on how to complete these options and their meaning refer to CONTRIBUTING.md.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested
Tested with a known binary with this issue
KEK Validation Results
β οΈ WARNING:PostSignedObjects/KEK/Test/KEKUpdate_PK_WITH_CONTENT_INFO.bin- Cryptographic Signature: β VALID
- Expected Payload: β True
- ContentInfo Wrapper:
β οΈ Detected
Why this matters: The PKCS#7 signature contains an outer
ContentInfoSEQUENCE
wrapping theSignedData. Older EDK2-based firmware expects rawSignedDatain
WIN_CERTIFICATE_UEFI_GUID.CertDataand will reject the update. Use
scripts/strip_content_info.pyto remove the wrapper before submitting.File Hashes (SHA-256)
PostSignedObjects/KEK/Test/KEKUpdate_PK_WITH_CONTENT_INFO.bin: 7e3f66f80384f26b1a4ff6a45c7aecc28891bf1250adbbc3e76bb73868dd70fcCommand Output
$ python scripts/validate_kek.py "PostSignedObjects/KEK/Test/KEKUpdate_PK_WITH_CONTENT_INFO.bin" -o "kek_validation_results/KEKUpdate_PK_WITH_CONTENT_INFO_validation.json" -q INFO:root:Validating: KEKUpdate_PK_WITH_CONTENT_INFO.bin WARNING:root: [!] ContentInfo wrapper detected in cert_data! INFO:root: Cryptographic Signature: VALID INFO:root: Expected Payload: True INFO:root:Result...
v1.6.4-signed
β οΈ IMPORTANT
No major security fixes.
TLDR;
- Make2023BootableMedia.ps1 Improved and Signed!
- High Confidence Buckets added
- KEK update map fixes
- authenticode_transplant.py Updates
What's Changed
- pip: bump ruff from 0.14.14 to 0.15.0 by @dependabot[bot] in #345
- pip: bump ruff from 0.15.0 to 0.15.1 by @dependabot[bot] in #348
- Add cryptographic verification to authenticode_transplant.py by @Flickdm in #326
- pip: bump cryptography from 43.0.0 to 46.0.5 by @dependabot[bot] in #349
- Repo File Sync: CodeQL sync and update to Mu DevOps v18.0.3 by @mu-automation[bot] in #352
- pip: bump ruff from 0.15.1 to 0.15.2 by @dependabot[bot] in #351
- High Confidence Buckets - 02/25/2026 by @jgeurten in #353
- pip: bump ruff from 0.15.2 to 0.15.4 by @dependabot[bot] in #356
- pip: bump edk2-pytool-extensions from 0.30.6 to 0.30.8 by @dependabot[bot] in #357
- GitHub Action: Bump actions/upload-artifact from 6 to 7 by @dependabot[bot] in #354
- pip: bump ruff from 0.15.4 to 0.15.5 by @dependabot[bot] in #360
- Improve Make2023BootableMedia.ps1: auto-download oscdimg, path handling, boot.stl, NTFS enforcement by @ballsop in #361
- kek update map fixes by @kraxel in #364
New Contributors
Full Changelog: v1.6.3-signed...v1.6.4-signed
v1.6.4
β οΈ IMPORTANT
No major security fixes.
TLDR;
- Make2023BootableMedia.ps1 Improved and Signed!
- High Confidence Buckets added
- KEK update map fixes
- authenticode_transplant.py Updates
What's Changed
-
kek update map fixes @kraxel (#364)
Change Details
Β ## Description
Update
scripts/get_auth_var_signing_certificate.pyto sort the entries.Fix
PostSignedObjects/KEK/kek_update_map.jsondata file.
Changes:- All entries are now sorted by filename.
- Fix some paths from windows ('\') to posix ('/') directory separator.
- Remove duplicate RedHat entry.
How This Was Tested
-
Inspect the file changes.
-
Verify with
jqutility thatkek_update_map.jsonis valid JSON.
-
Improve Make2023BootableMedia.ps1: auto-download oscdimg, path handling, boot.stl, NTFS enforcement @ballsop (#361)
Change Details
Β ## Description
-
Add Download-Oscdimg function to download oscdimg.exe from the Microsoft public symbol server when not found locally, with architecture detection (AMD64/ARM64/x86) and user confirmation prompt. Previously downloaded copies in %TEMP% are reused automatically. Addresses #333.
-
Fix path handling errors found in testing: normalize ISOPath to absolute early via ConvertTo-AbsolutePath to prevent crash when bare filenames are passed. Replace fragile Substring/LastIndexOf with Split-Path in Create-ISOMedia. Replace unsafe Substring(0,1) drive letter extraction with Split-Path -Qualifier in Initialize-StagingDirectory and Validate-Parameters. Add null/empty input guard and use TrimEnd in ConvertTo-AbsolutePath.
-
Copy boot.stl from boot.wim (Windows\Boot\EFI\boot.stl) to staged media (EFI\Microsoft\Boot\boot.stl) when present and not already at destination. Recent OS servicing introduced a new dependency on boot.stl.
-
Require NTFS for StagingDir and NewMediaPath since WIM mounting relies on reparse points not fully supported on ReFS.
-
Impacts functionality?
-
Impacts security?
-
Breaking change?
-
Includes tests?
-
Includes documentation?
How This Was Tested
Tested on ISO, USB, and LOCAL media creation flows on both X64 and ARM64 systems.
Integration Instructions
N/A
</blockquote> <hr> </details> -
-
High Confidence Buckets - 02/25/2026 @jgeurten (#353)
Change Details
Β ## Description
Open-sourcing the list of buckets where Microsoft has high confidence devices successfully apply the Secure Boot DB and KEK 2023 updates.
For details on how to complete these options and their meaning refer to CONTRIBUTING.md.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- [X ] Includes documentation?
How This Was Tested
N/A Testing only
Integration Instructions
N/A
-
Add cryptographic verification to authenticode\_transplant.py @Flickdm (#326)
Change Details
Β This commit adds comprehensive cryptographic validation to the Authenticode signature combining tool, bringing the same verification capabilities from auth_var_tool.py to PE file signature operations.
Key changes:
- Added cryptographic signature verification using the 'cryptography' library
- Implemented SpcIndirectDataContent parsing to extract embedded PE hashes
- Added certificate extraction and display from PKCS#7 signatures
- Compute Authenticode hashes using the algorithm specified in the signature
- Verify signatures mathematically using signer's public key (RSA/ECDSA)
- Validate that computed PE hash matches the hash in SpcIndirectDataContent
New functions:
- _get_hash_algorithm_from_oid(): Maps OID strings to hash algorithms
- _extract_pe_hash_from_spc_indirect_data(): Parses SPC structure for hash
- _extract_certificates_from_pkcs7(): Extracts X.509 certificates
- _verify_pkcs7_signature(): Performs full cryptographic verification
- compute_authenticode_hash(): Flexible hash computation with configurable algorithm
Enhanced functions:
- validate_pkcs7_signatures(): Now performs cryptographic verification
- main_verify(): Displays certificate details and verification status
- main_combine(): Validates signatures cryptographically before combining
Bug fixes:
- Removed incorrect 8-byte padding from Authenticode hash calculation (padding only applies to WIN_CERTIFICATE structure alignment, not hash data)
- Consolidated duplicate hash functions into single implementation
Code improvements:
- Named constants for all magic numbers in SPC parsing
- Better documentation and inline comments
- Proper type annotations with Optional types
Testing:
- Verified against Microsoft-signed bootmgfw.efi files
- Hash computation now matches Windows AppLocker and UEFI firmware
- Both multi-signature and nested signature modes validated
- All test cases pass with cryptographic verification
Follows Microsoft Authenticode PE specification v1.1
Description
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested
Ran it against copies of bootmgfw.efi and hellouefi.efi that were both singly signed and
Integration Instructions
N/A
Full Changelog: v1.6.3...v1.6.4
What's Changed
- pip: bump ruff from 0.14.14 to 0.15.0 by @dependabot[bot] in #345
- pip: bump ruff from 0.15.0 to 0.15.1 by @dependabot[bot] in #348
- Add cryptographic verification to authenticode_transplant.py by @Flickdm in #326
- pip: bump cryptography from 43.0.0 to 46.0.5 by @dependabot[bot] in #349
- Repo File Sync: CodeQL sync and update to Mu DevOps v18.0.3 by @mu-automation[bot] in #352
- pip: bump ruff from 0.15.1 to 0.15.2 by @dependabot[bot] in #351
- High Confidence Buckets - 02/25/2026 by @jgeurten in #353
- pip: bump ruff from 0.15.2 to 0.15.4 by @dependabot[bot] in #356
- pip: bump edk2-pytool-extensions from 0.30.6 to 0.30.8 by @dependabot[bot] in #357
- GitHub Action: Bump actions/upload-artifact from 6 to 7 by @dependabot[bot] in #354
- pip: bump ruff from 0.15.4 to 0.15.5 by @dependabot[bot] in #360
- Improve Make2023BootableMedia.ps1: auto-download oscdimg, path handling, boot.stl, NTFS enforcement by @ballsop in #361
- kek update map fixes by @kraxel in #364
New Contributors
Full Changelog: v1.6.3...v1.6.4
v1.6.3-signed
β οΈ IMPORTANT
No major security fixes.
- Additional KEKs provided by ASUS, Acer, Fujitsu, BIOSTAR, TONGFANG, MEDION, Redhat, Microsoft
- Bug fixes in auth_var_tool.py
What's Changed
- [Secure Boot KEK Update] ASUS PK-Signed KEK Update by @ChengAn0519 in #293
- [Secure Boot KEK Update] ASUS PK-Signed KEK Update by @ChengAn0519 in #295
- pip: bump pytest from 8.4.2 to 9.0.0 by @dependabot[bot] in #297
- pip: bump ruff from 0.14.3 to 0.14.4 by @dependabot[bot] in #296
- auth_var_tool: Fix timestamp handling by @Flickdm in #299
- Repo File Sync: Update mu_devops from v18.0.0 to v18.0.2 by @mu-automation[bot] in #300
- pip: bump ruff from 0.14.4 to 0.14.5 by @dependabot[bot] in #307
- [Secure Boot KEK Update] Acer PK-Signed KEK Update by @bloomlin in #309
- pip: bump pytest from 9.0.0 to 9.0.1 by @dependabot[bot] in #306
- [Secure Boot KEK Update] Fujitsu (& FCCL) PK-Signed KEK Update by @akudou1 in #310
- [Secure Boot KEK Update] Acer PK-Signed KEK Update by @bloomlin in #311
- [Secure Boot KEK Update] TONGFANG PK-Signed KEK Update by @Faintsnow in #315
- [Secure Boot KEK Update] BIOSTAR PK-Signed KEK Update by @bloomlin in #316
- MEDION KEK files added by @MaHoBo in #308
- Revert "[Secure Boot KEK Update] TONGFANG PK-Signed KEK Update" by @Flickdm in #322
- pip: bump edk2-pytool-extensions from 0.30.5 to 0.30.6 by @dependabot[bot] in #320
- pip: bump ruff from 0.14.5 to 0.14.7 by @dependabot[bot] in #329
- [Secure Boot KEK Update] RedHat PK-Signed KEK Update by @kraxel in #328
- KEK: Update the get_auth_var_signing_certificate and kek_update_map.json by @Flickdm in #325
- pip: bump ruff from 0.14.7 to 0.14.8 by @dependabot[bot] in #330
- pip: bump pytest from 9.0.1 to 9.0.2 by @dependabot[bot] in #332
- pip: bump edk2-pytool-library from 0.23.10 to 0.23.11 by @dependabot[bot] in #331
- GitHub Action: Bump actions/checkout from 4 to 6 by @dependabot[bot] in #317
- [Secure Boot KEK Update] Microsoft PK-Signed KEK Update by @Flickdm in #336
- [Secure Boot KEK Update] TONGFANG PK-Signed KEK Update by @Faintsnow in #335
- pip: bump ruff from 0.14.8 to 0.14.9 by @dependabot[bot] in #337
- GitHub Action: Bump actions/upload-artifact from 4 to 6 by @dependabot[bot] in #334
- pip: bump ruff from 0.14.9 to 0.14.10 by @dependabot[bot] in #338
- pip: bump pyasn1 from 0.6.1 to 0.6.2 by @dependabot[bot] in #340
- pip: bump ruff from 0.14.10 to 0.14.13 by @dependabot[bot] in #341
- pip: bump ruff from 0.14.13 to 0.14.14 by @dependabot[bot] in #342
New Contributors
- @bloomlin made their first contribution in #309
- @akudou1 made their first contribution in #310
- @Faintsnow made their first contribution in #315
- @MaHoBo made their first contribution in #308
- @kraxel made their first contribution in #328
Full Changelog: v1.6.2-signed...v1.6.3-signed
v1.6.3
β οΈ IMPORTANT
No major security fixes.
- Additional KEKs provided by ASUS, Acer, Fujitsu, BIOSTAR, TONGFANG, MEDION, Redhat, Microsoft
- Bug fixes in auth_var_tool.py
What's Changed
- [Secure Boot KEK Update] ASUS PK-Signed KEK Update by @ChengAn0519 in #293
- [Secure Boot KEK Update] ASUS PK-Signed KEK Update by @ChengAn0519 in #295
- pip: bump pytest from 8.4.2 to 9.0.0 by @dependabot[bot] in #297
- pip: bump ruff from 0.14.3 to 0.14.4 by @dependabot[bot] in #296
- auth_var_tool: Fix timestamp handling by @Flickdm in #299
- Repo File Sync: Update mu_devops from v18.0.0 to v18.0.2 by @mu-automation[bot] in #300
- pip: bump ruff from 0.14.4 to 0.14.5 by @dependabot[bot] in #307
- [Secure Boot KEK Update] Acer PK-Signed KEK Update by @bloomlin in #309
- pip: bump pytest from 9.0.0 to 9.0.1 by @dependabot[bot] in #306
- [Secure Boot KEK Update] Fujitsu (& FCCL) PK-Signed KEK Update by @akudou1 in #310
- [Secure Boot KEK Update] Acer PK-Signed KEK Update by @bloomlin in #311
- [Secure Boot KEK Update] TONGFANG PK-Signed KEK Update by @Faintsnow in #315
- [Secure Boot KEK Update] BIOSTAR PK-Signed KEK Update by @bloomlin in #316
- MEDION KEK files added by @MaHoBo in #308
- Revert "[Secure Boot KEK Update] TONGFANG PK-Signed KEK Update" by @Flickdm in #322
- pip: bump edk2-pytool-extensions from 0.30.5 to 0.30.6 by @dependabot[bot] in #320
- pip: bump ruff from 0.14.5 to 0.14.7 by @dependabot[bot] in #329
- [Secure Boot KEK Update] RedHat PK-Signed KEK Update by @kraxel in #328
- KEK: Update the get_auth_var_signing_certificate and kek_update_map.json by @Flickdm in #325
- pip: bump ruff from 0.14.7 to 0.14.8 by @dependabot[bot] in #330
- pip: bump pytest from 9.0.1 to 9.0.2 by @dependabot[bot] in #332
- pip: bump edk2-pytool-library from 0.23.10 to 0.23.11 by @dependabot[bot] in #331
- GitHub Action: Bump actions/checkout from 4 to 6 by @dependabot[bot] in #317
- [Secure Boot KEK Update] Microsoft PK-Signed KEK Update by @Flickdm in #336
- [Secure Boot KEK Update] TONGFANG PK-Signed KEK Update by @Faintsnow in #335
- pip: bump ruff from 0.14.8 to 0.14.9 by @dependabot[bot] in #337
- GitHub Action: Bump actions/upload-artifact from 4 to 6 by @dependabot[bot] in #334
- pip: bump ruff from 0.14.9 to 0.14.10 by @dependabot[bot] in #338
- pip: bump pyasn1 from 0.6.1 to 0.6.2 by @dependabot[bot] in #340
- pip: bump ruff from 0.14.10 to 0.14.13 by @dependabot[bot] in #341
- pip: bump ruff from 0.14.13 to 0.14.14 by @dependabot[bot] in #342
New Contributors
- @bloomlin made their first contribution in #309
- @akudou1 made their first contribution in #310
- @Faintsnow made their first contribution in #315
- @MaHoBo made their first contribution in #308
- @kraxel made their first contribution in #328
Full Changelog: v1.6.2...v1.6.3
v1.6.2-signed
β οΈ IMPORTANT
No major security fixes.
- Additional KEKs provided by ASUS have been submitted
- A script to perform Multi Signature support for Secure Boot has been added
- Updates to Make2023BootableMedia.ps1 and updating the signed version
What's Changed
- pip: bump ruff from 0.14.1 to 0.14.2 by @dependabot[bot] in #282
- Script to perform UEFI multi signatures by @Flickdm in #270
- pip: bump ruff from 0.14.2 to 0.14.3 by @dependabot[bot] in #283
- [Secure Boot KEK Update] ASUS PK-Signed KEK Update by @ChengAn0519 in #284
- Fix issue with ARM64 media, FAT32 USB handling and several other updates by @ballsop in #285
- [Secure Boot KEK Update] ASUS PK-Signed KEK Update by @ChengAn0519 in #287
New Contributors
- @ChengAn0519 made their first contribution in #284
- @ballsop made their first contribution in #285
Full Changelog: v1.6.1-signed...v1.6.2-signed
v1.6.2
β οΈ IMPORTANT
No major security fixes.
- Additional KEKs provided by ASUS have been submitted
- A script to perform Multi Signature support for Secure Boot has been added
- Updates to Make2023BootableMedia.ps1 and updating the signed version
What's Changed
-
[Secure Boot KEK Update] ASUS PK-Signed KEK Update @ChengAn0519 (#287)
Change Details
Β ## OEM Certificate Submission
OEM Name: ASUS
Contact Email: [email protected]Certificate Details
- Platform Key Thumbprint: 3BEF0726985C1C38CBA54C48A4B2B6EB281D9EE524CA7E1C8D6EE23942896F9A
- Expiration Date: 2040-01-01
Testing Completed
- Windows validation
- Linux validation
Security Review
- No known security issues
Additional Notes
Platform Key Thumbprint SHA1:EABCB3D43C0F3353F6396E297A8CBC4EF5F2AD39
-
Fix issue with ARM64 media, FAT32 USB handling and several other updates @ballsop (#285)
Change Details
Β ## Description
- Fixed issue with ARM64 media being handled as X64 media.
- FAT32 USB key generation improvements.
- No longer need to install ADK if not generating ISO images
- Added DebugOn parameter to easily turn on extra logging output
- A number of improvements to parameter handling
- Misc tweaks and optimizations
How This Was Tested
-
Large number of iterations against current and old media images, including ARM64 media.
</blockquote> <hr>
-
[Secure Boot KEK Update] ASUS PK-Signed KEK Update @ChengAn0519 (#284)
Change Details
Β ## OEM Certificate Submission
OEM Name: ASUS
Contact Email: [email protected]Certificate Details
- Platform Key Thumbprint: 3F7AD0C7F6D52E501D885A312B232A739EA44709844DA4002EAE5A005A3ABAEF
- Expiration Date: 2043-11-14
Testing Completed
- Windows validation
- Linux validation
Security Review
- No known security issues
Additional Notes
Platform Key Thumbprint SHA1:131A78741E5D4152489B838ED8F717FB167D6888
-
Script to perform UEFI multi signatures @Flickdm (#270)
Change Details
Β ## Description
As the ecosystem is marching towards certificate key expiry, we must standardize and document
how multiple signatures are expected to work. This PR implements a python script that can take
two signed binaries and output a third "multi" signed binary.It does not appear that the windows authenticode specification dictates how multi-signatures
are expected to be implemented. In that absence, EDK2 chose to implement multi-signatures
using multiple WIN_CERTIFICATES according to the PE/COFF specification.
The UEFI specification describes this as:Multiple signatures are allowed to exist in the binaryβs certificate table (as per PE/COFF Section βAttribute Certificate Tableβ).This PR implements the code to perform the binary manipulation to get the multi signed
binary in the correct format to be validated by EDK2.Additionally, this scripts supports "--nested" which is similar to the "/as" command by SignTool.
UEFI does not appear to support this today.UEFI Style Multi-Signature
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β DOS Header (64 bytes) β β Offset 0x3C: PE Header offset β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β DOS Stub β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β PE Signature "PE\0\0" β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β COFF Header (20 bytes) β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β Optional Header β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β Magic: 0x010B (PE32) or 0x020B (PE32+) β β β β ... other fields ... β β β β β β β β Data Directories β β β β ββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β [4] Security Directory βββββββββββββββββββββββΌββββΌβββββΌβββ β β β VirtualAddress: 0xNNNN (file offset) β β β β β β β Size: SSSS bytes (LARGER than source!) β β β β β β ββββββββββββββββββββββββββββββββββββββββββββββββ β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β Section Headers β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β .text Section (IDENTICAL to sources) β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β .data Section (IDENTICAL to sources) β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β .reloc Section (IDENTICAL to sources) β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β ... other sections ... β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ββββ β β WIN_CERTIFICATE Structure #1 β β βββ First Authority β β ββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β dwLength (4 bytes) = Size of structure #1 β β β β β β wRevision (2 bytes) = 0x0200 β β β β β β wCertificateType (2 bytes) = 0x0002 (PKCS#7) β β β β β ββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β ββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β PKCS#7 SignedData from source1.efi β β β β β β - Complete, independent PKCS#7 structure β β β β β β - Includes cert chain from first signer β β β β β β - Timestamp from first signing β β β β β ββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β ββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β Padding (0-7 bytes for 8-byte alignment) β β β β β ββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β βββ Second Authority β β WIN_CERTIFICATE Structure #2 β β β β ββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β dwLength (4 bytes) = Size of structure #2 β β β β β β wRevision (2 bytes) = 0x0200 β β β β β β wCertificateType (2 bytes) = 0x0002 (PKCS#7) β β β β β ββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β ββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β PKCS#7 SignedData from source2.efi β β β β β β - Complete, independent PKCS#7 structure β β β β β β - Includes cert chain from second signer β β β β β β - Timestamp from second signing β β β β β ββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β ββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β Padding (0-7 bytes for 8-byte alignment) β β β β β ββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ END OF FILE Note: The security directory Size field = (WIN_CERTIFICATE #1 total size) + (WIN_CERTIFICATE #2 total size)For details on how to complete these options and their meaning refer to CONTRIBUTING.md.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested
Multi signed binary was executed in the following conditions
w/ nested signature (Microsoft OID) (--nested argument)
Only primary signature is checked, secondary signature fails
- With SB disabled, binary passes validation
- With SB enabled
2.1 DB with 2011 CA & 2023 CA - multi-signed image passes
2.2 DB with 2011 CA - multi-signed image passes
2.3 DB with 2023 CA - multi-signed image fails
Windows can verify this image using standard tooling.
w/ multiple win_certificates (not spec defined)
- With SB disabled, binary passes validation
- With SB enabled
2.1 DB with 2011 CA & 2023 CA - multi-signed image passes
2.2 DB with 2011 CA - multi-signed image passes
2.3 DB with 2023 CA - multi-signed image passes
Windows cannot verify this using standard tooling.
Integration Instructions
N/A
...
v1.6.1-signed
DBX Info file had regressions that said the latest SVN was 5.0 despite the binary being updated to 7.0. This has been corrected.
What's Changed
- pip: bump edk2-pytool-library from 0.23.8 to 0.23.10 by @dependabot[bot] in #275
- pip: bump ruff from 0.14.0 to 0.14.1 by @dependabot[bot] in #276
- pip: bump edk2-pytool-extensions from 0.30.3 to 0.30.5 by @dependabot[bot] in #277
- Fix SVN Regressions by @Flickdm in #279
Full Changelog: v1.6.0-signed...v1.6.1-signed
v1.6.1
DBX Info file had regressions that said the latest SVN was 5.0 despite the binary being updated to 7.0. This has been corrected.
What's Changed
- pip: bump edk2-pytool-library from 0.23.8 to 0.23.10 by @dependabot[bot] in #275
- pip: bump ruff from 0.14.0 to 0.14.1 by @dependabot[bot] in #276
- pip: bump edk2-pytool-extensions from 0.30.3 to 0.30.5 by @dependabot[bot] in #277
- Fix SVN Regressions by @Flickdm in #279
Full Changelog: v1.6.0...v1.6.1