Skip to content

Releases: microsoft/secureboot_objects

v1.6.5-signed

Choose a tag to compare

@Flickdm Flickdm released this 07 Jul 18:22

What's Changed

  • Repo File Sync: Group Dependabot Prs and update to create-github-app-token@v3 by @mu-automation[bot] in #366
  • [Secure Boot KEK Update] Adlink PK-Signed KEK Update by @Max-ad-Wu in #350
  • GitHub Action: Bump actions/create-github-app-token from 2 to 3 by @dependabot[bot] in #363
  • pip: bump the all-pip-dependencies group with 2 updates by @dependabot[bot] in #367
  • pip: bump ruff from 0.15.6 to 0.15.7 in the all-pip-dependencies group by @dependabot[bot] in #373
  • license: Drop prebuilt binaries license in favor of BSD-2-Clause-Patent by @chewi in #376
  • pip: bump cryptography from 46.0.5 to 46.0.6 by @dependabot[bot] in #378
  • Repo File Sync: Update to Mu DevOps v18.0.4 by @mu-automation[bot] in #379
  • pip: bump the all-pip-dependencies group with 3 updates by @dependabot[bot] in #380
  • Group/upload by @Flickdm in #383
  • FEAT: Authenticated Variable Verification and KEK workflow by @Flickdm in #385
  • GitHub Action: Bump the all-actions-dependencies group with 3 updates by @dependabot[bot] in #386
  • Repo File Sync: Repo File Sync: Update workflows to 18.0.5 by @mu-automation[bot] in #387
  • Upload: Uploading multiple submissions by @Flickdm in #390
  • pip: bump edk2-pytool-library to 0.23.13, regex to 2026.4.4, ruff to 0.15.9 cryptography to 46.0.7 by @dependabot[bot] in #389
  • [Secure Boot KEK Update] Adlink PK-Signed KEK Update by @Max-ad-Wu in #392
  • Repo File Sync: Update github-script to v9 by @mu-automation[bot] in #395
  • pip: bump cryptography from 46.0.6 to 46.0.7 by @dependabot[bot] in #391
  • GitHub Action: Update prepare-binaries and validate-kek-updates to use actions/github-script 9, action-gh-release 3 by @dependabot[bot] in #394
  • pip: bump ruff from 0.15.9 to 0.15.10 in the all-pip-dependencies group by @dependabot[bot] in #397
  • Fix DBX JSON schema by @cjee21 in #381
  • [Secure Boot KEK Update] Microsoft PK-Signed KEK Update by @Flickdm in #399
  • Build: Detect and strip PKCS#7 ContentInfo wrappers in KEK updates by @Flickdm in #403
  • pip: bump ruff from 0.15.10 to 0.15.11 by @dependabot[bot] in #401
  • cleaning up error in SVN GUID by @SochiOgbuanya in #404
  • pip: bumpruff to 0.15.12, cryptography to 47.0.0 by @dependabot[bot] in #405
  • Fix: Update dbx_info_msft_latest.json to correct incorrect guids by @Flickdm in #406
  • Repo File Sync: Update mu_devops to v18.0.6 by @mu-automation[bot] in #407
  • pip: bump cryptography from 47.0.0 to 48.0.0 in the all-pip-dependencies group by @dependabot[bot] in #408
  • Updating High Confidence Buckets for 5B Windows LCU by @SochiOgbuanya in #412
  • Addressing missing bucket attribute information in 5B High confidence buckets csv by @SochiOgbuanya in #414
  • pip: bump ruff from 0.15.12 to 0.15.13 by @dependabot[bot] in #418
  • bump bootmgr SVN to 8 by @olkorsha in #415
  • pip: bump ruff from 0.15.13 to 0.15.14 in the all-pip-dependencies group by @dependabot[bot] in #423
  • pip: bump ruff from 0.15.14 to 0.15.15 in the all-pip-dependencies group by @dependabot[bot] in #427
  • Repo File Sync: update mu_devops to v18.0.7 by @mu-automation[bot] in #435
  • pip: bump ruff to 0.15.16, cryptography to 48.0.1 by @dependabot[bot] in #431
  • pip: bump ruff to 0.15.17, pytest to 9.1.0, cryptography to 49.0.0 by @dependabot[bot] in #438
  • GitHub Action: Bump actions/checkout from 6 to 7 by @dependabot[bot] in #439
  • [CVE-2026-8863] bump bootmgfw svn to v9, add 12 new x64 dbx hashes by @olkorsha in #429
  • Add 7 additional Microsoft Surface KEK update packages: by @jorticus-msft in #437
  • pip: bump edk2-pytool-library to 0.23.15, ruff to 0.15.20, pytest to 9.1.1 by @dependabot[bot] in #441
  • Fix bootmgr SVN dateOfLastChange and CVE description (#444) by @Flickdm in #445
  • scripts: fix compute_authenticode_hash for unsigned PEs by @jeremy-compostella in #440

New Contributors

Full Changelog: v1.6.4-signed...v1.6.5-signed

v1.6.5

Choose a tag to compare

@mu-automation mu-automation released this 07 Jul 18:20

What's Changed

  • scripts: fix compute\_authenticode\_hash for unsigned PEs @jeremy-compostella (#440)
    Change Details
    Β  When the PE has no attached certificate the security data directory fields VirtualAddress and Size are both 0. The previous unconditional slicing:
    pe_data[certificate_table_offset + 0x08 : 0]   # -> empty
    + pe_data[0 + 0 :]                              # -> whole file re-appended
    

    produced a wrong digest for unsigned images.

    Add an explicit branch: when VirtualAddress == 0, hash only the bytes that follow the 8-byte cert-dir data-directory entry, which is the correct tail of an unsigned PE image.

    Description

    When the PE has no attached certificate the security data directory
    fields VirtualAddress and Size are both 0. The previous unconditional
    slicing:

    pe_data[certificate_table_offset + 0x08 : 0]   # -> empty
    + pe_data[0 + 0 :]                              # -> whole file re-appended
    

    produced a wrong digest for unsigned images.

    How This Was Tested

    Generate Authenticode for an unsigned EFI binary and verify successful verification once enrolled in the DB.

    Integration Instructions

    N/A

      </blockquote>
      <hr>
    </details>
    
  • Fix bootmgr SVN dateOfLastChange and CVE description (#444) @Flickdm (#445)
    Change Details
    Β  ## Description

    The SVN bump from 8.0 to 9.0 (a728996) updated the value and version of the bootmgfw.efi SVN entry but left dateOfLastChange at the 8.0 date (2026-04-10) and the description at the old CVE (CVE-2023-24932).

    Update both fields to match the June 9, 2026 KB5094126 rollout:

    • dateOfLastChange: 2026-04-10 -> 2026-05-21

    • description: CVE-2023-24932 -> CVE-2026-45654

    • Impacts functionality?

    • Impacts security?

    • Breaking change?

    • Includes tests?

    • Includes documentation?

    How This Was Tested

    verified that the json was valid

    Integration Instructions

    N/A




  • Add 7 additional Microsoft Surface KEK update packages: @jorticus-msft (#437)
    Change Details
    Β  ## Description

    Add KEK update binaries for the following Surface PK thumbprints:

    • PK19: 4484F86E (SH2 2022 UEFI PK Signer)

    • PK20: 999B48E3 (AFF UEFI PK CA 2015)

    • PK21: CB8F3251 (LFF 3 Firmware CA 2016)

    • PK22: 5EAE312B (LFF 3 UEFI PK Signer)

    • PK23: C35BFE0D (NFF UEFI PK Signer)

    • PK24: E8DFD45C (LFF 2 UEFI PK CA 2014)

    • PK25: F4BC8D56 (XLFF UEFI PK CA 2014)

    • Impacts functionality?

    • Impacts security?

    • Breaking change?

    • Includes tests?

    • Includes documentation?

    How This Was Tested

    Tested on Surface devices associated with each thumbprint. No adverse effects to SecureBoot, Secured Core, or Bitlocker.

    Integration Instructions

    N/A

      </blockquote>
      <hr>
    </details>
    
  • [CVE-2026-8863] bump bootmgfw svn to v9, add 12 new x64 dbx hashes @olkorsha (#429)
    Change Details
    Β  ## Description

    Bump bootmgfw svn to v9
    Add 11 latest x64 dbx hashes
    Add missing EasyFix hash from previous release

    dedupe and update DBXUpdateSVN.bin
    update DBXUpdate.bin




  • bump bootmgr SVN to 8 @olkorsha (#415)
    Change Details
    Β  ## Description

    Update hashes.json and DBXUpdateSVN.bin files

    #396




  • Addressing missing bucket attribute information in 5B High confidence buckets csv @SochiOgbuanya (#414)
    Change Details
    Β 

    Description

    Addressing missing bucket attribute information in 5B High confidence buckets csv

    #413

    <Include a description of the change and why this change was made.>

    Previous csv was missing: OEMModelSystemVersion,FirmwareManufacturer,FirmwareVersion,FirmwareReleaseDate

    These files have been updated to include the full list of bucket attributes: BA_BucketId,OSArchitecture,OEMName,OEMManufacturerName,BaseBoardManufacturer,OEMModelSystemFamily,OEMModelBaseBoard,OEMModelBaseBoardVersion,OEMModelSKU,OEMModelNumber,OEMModelSystemVersion,FirmwareManufacturer,FirmwareVersion,FirmwareReleaseDate

    For details on how to complete these options and their meaning refer to CONTRIBUTING.md.

    • Impacts functionality?
    • Impacts security?
    • Breaking change?
    • Includes tests?
    • Includes documentation?

    How This Was Tested

    <Describe the test(s) that were run to verify the changes.>

    Integration Instructions

    <Describe how these changes should be integrated. Use N/A if nothing is required.>

      </blockquote>
      <hr>
    </details>
    
  • Updating High Confidence Buckets for 5B Windows LCU @SochiOgbuanya (#412)
    Change Details
    Β  ## Description

    Updated the high confidence buckets to include new bucket data shipped for 5B windows LCU. Files are too large for GitHub UI to compute diff.

    • Impacts functionality?
    • Impacts security?
    • Breaking change?
    • Includes tests?
    • Includes documentation?

    How This Was Tested

    N/A

    Integration Instructions

    N/A




  • cleaning up error in SVN GUID @SochiOgbuanya (#404)
    Change Details
    Β  ## Description

    <Include a description of the change and why this change was made.>
    Updated the SVN GUID to address #377

    For details on how to complete these options and their meaning refer to CONTRIBUTING.md.

    • [] Impacts functionality? No
    • Impacts security? No
    • Breaking change? No
    • Includes tests? No
    • Includes documentation? No

    How This Was Tested

    No test required
    <Describe the test(s) that were run to verify the changes.>

    Integration Instructions

    <Describe how these changes should be integrated. Use N/A if nothing is required.>

      </blockquote>
      <hr>
    </details>
    
  • Build: Detect and strip PKCS#7 ContentInfo wrappers in KEK updates @Flickdm (#403)
    Change Details
    Β  ## Description

    Some KEK update files are generated with an outer ContentInfo SEQUENCE wrapping the SignedData blob. Older EDK2-based firmware expects raw SignedData directly in WIN_CERTIFICATE_UEFI_GUID.CertData; ContentInfo support was only added recently in:
    tianocore/edk2@37d3eb0

    This is normally because the tool that used wanted to sign it in a "normal" way where the code in UEFI is anything but normal.

    If we strip off the ContentInfo(..) we have a greater chance of supporting platforms stuck on older UEFI firmware.

    So while not invalid - and for newer machines is fine - older firmware may pose an issue.

    For details on how to complete these options and their meaning refer to CONTRIBUTING.md.

    • Impacts functionality?
    • Impacts security?
    • Breaking change?
    • Includes tests?
    • Includes documentation?

    How This Was Tested

    Tested with a known binary with this issue

    KEK Validation Results

    ⚠️ WARNING: PostSignedObjects/KEK/Test/KEKUpdate_PK_WITH_CONTENT_INFO.bin

    • Cryptographic Signature: βœ… VALID
    • Expected Payload: βœ… True
    • ContentInfo Wrapper: ⚠️ Detected

    Why this matters: The PKCS#7 signature contains an outer ContentInfo SEQUENCE
    wrapping the SignedData. Older EDK2-based firmware expects raw SignedData in
    WIN_CERTIFICATE_UEFI_GUID.CertData and will reject the update. Use
    scripts/strip_content_info.py to remove the wrapper before submitting.

    File Hashes (SHA-256)

    PostSignedObjects/KEK/Test/KEKUpdate_PK_WITH_CONTENT_INFO.bin: 7e3f66f80384f26b1a4ff6a45c7aecc28891bf1250adbbc3e76bb73868dd70fc
    

    Command Output

    $ python scripts/validate_kek.py "PostSignedObjects/KEK/Test/KEKUpdate_PK_WITH_CONTENT_INFO.bin" -o "kek_validation_results/KEKUpdate_PK_WITH_CONTENT_INFO_validation.json" -q
    INFO:root:Validating: KEKUpdate_PK_WITH_CONTENT_INFO.bin
    WARNING:root:  [!] ContentInfo wrapper detected in cert_data!
    INFO:root:  Cryptographic Signature: VALID
    INFO:root:  Expected Payload: True
    
    INFO:root:Result...
    
Read more

v1.6.4-signed

Choose a tag to compare

@Flickdm Flickdm released this 16 Mar 21:12

⚠️ IMPORTANT

No major security fixes.

TLDR;

  1. Make2023BootableMedia.ps1 Improved and Signed!
  2. High Confidence Buckets added
  3. KEK update map fixes
  4. authenticode_transplant.py Updates

What's Changed

  • pip: bump ruff from 0.14.14 to 0.15.0 by @dependabot[bot] in #345
  • pip: bump ruff from 0.15.0 to 0.15.1 by @dependabot[bot] in #348
  • Add cryptographic verification to authenticode_transplant.py by @Flickdm in #326
  • pip: bump cryptography from 43.0.0 to 46.0.5 by @dependabot[bot] in #349
  • Repo File Sync: CodeQL sync and update to Mu DevOps v18.0.3 by @mu-automation[bot] in #352
  • pip: bump ruff from 0.15.1 to 0.15.2 by @dependabot[bot] in #351
  • High Confidence Buckets - 02/25/2026 by @jgeurten in #353
  • pip: bump ruff from 0.15.2 to 0.15.4 by @dependabot[bot] in #356
  • pip: bump edk2-pytool-extensions from 0.30.6 to 0.30.8 by @dependabot[bot] in #357
  • GitHub Action: Bump actions/upload-artifact from 6 to 7 by @dependabot[bot] in #354
  • pip: bump ruff from 0.15.4 to 0.15.5 by @dependabot[bot] in #360
  • Improve Make2023BootableMedia.ps1: auto-download oscdimg, path handling, boot.stl, NTFS enforcement by @ballsop in #361
  • kek update map fixes by @kraxel in #364

New Contributors

Full Changelog: v1.6.3-signed...v1.6.4-signed

v1.6.4

Choose a tag to compare

@mu-automation mu-automation released this 16 Mar 21:14

⚠️ IMPORTANT

No major security fixes.

TLDR;

  1. Make2023BootableMedia.ps1 Improved and Signed!
  2. High Confidence Buckets added
  3. KEK update map fixes
  4. authenticode_transplant.py Updates

What's Changed

  • kek update map fixes @kraxel (#364)
    Change Details
    Β  ## Description

    Update scripts/get_auth_var_signing_certificate.py to sort the entries.

    Fix PostSignedObjects/KEK/kek_update_map.json data file.
    Changes:

    • All entries are now sorted by filename.
    • Fix some paths from windows ('\') to posix ('/') directory separator.
    • Remove duplicate RedHat entry.

    How This Was Tested

    • Inspect the file changes.

    • Verify with jq utility that kek_update_map.json is valid JSON.


  • Improve Make2023BootableMedia.ps1: auto-download oscdimg, path handling, boot.stl, NTFS enforcement @ballsop (#361)
    Change Details
    Β  ## Description
    • Add Download-Oscdimg function to download oscdimg.exe from the Microsoft public symbol server when not found locally, with architecture detection (AMD64/ARM64/x86) and user confirmation prompt. Previously downloaded copies in %TEMP% are reused automatically. Addresses #333.

    • Fix path handling errors found in testing: normalize ISOPath to absolute early via ConvertTo-AbsolutePath to prevent crash when bare filenames are passed. Replace fragile Substring/LastIndexOf with Split-Path in Create-ISOMedia. Replace unsafe Substring(0,1) drive letter extraction with Split-Path -Qualifier in Initialize-StagingDirectory and Validate-Parameters. Add null/empty input guard and use TrimEnd in ConvertTo-AbsolutePath.

    • Copy boot.stl from boot.wim (Windows\Boot\EFI\boot.stl) to staged media (EFI\Microsoft\Boot\boot.stl) when present and not already at destination. Recent OS servicing introduced a new dependency on boot.stl.

    • Require NTFS for StagingDir and NewMediaPath since WIM mounting relies on reparse points not fully supported on ReFS.

    • Impacts functionality?

    • Impacts security?

    • Breaking change?

    • Includes tests?

    • Includes documentation?

    How This Was Tested

    Tested on ISO, USB, and LOCAL media creation flows on both X64 and ARM64 systems.

    Integration Instructions

    N/A

      </blockquote>
      <hr>
    </details>
    
  • High Confidence Buckets - 02/25/2026 @jgeurten (#353)
    Change Details
    Β  ## Description

    Open-sourcing the list of buckets where Microsoft has high confidence devices successfully apply the Secure Boot DB and KEK 2023 updates.

    For details on how to complete these options and their meaning refer to CONTRIBUTING.md.

    • Impacts functionality?
    • Impacts security?
    • Breaking change?
    • Includes tests?
    • [X ] Includes documentation?

    How This Was Tested

    N/A Testing only

    Integration Instructions

    N/A




  • Add cryptographic verification to authenticode\_transplant.py @Flickdm (#326)
    Change Details
    Β  This commit adds comprehensive cryptographic validation to the Authenticode signature combining tool, bringing the same verification capabilities from auth_var_tool.py to PE file signature operations.

    Key changes:

    • Added cryptographic signature verification using the 'cryptography' library
    • Implemented SpcIndirectDataContent parsing to extract embedded PE hashes
    • Added certificate extraction and display from PKCS#7 signatures
    • Compute Authenticode hashes using the algorithm specified in the signature
    • Verify signatures mathematically using signer's public key (RSA/ECDSA)
    • Validate that computed PE hash matches the hash in SpcIndirectDataContent

    New functions:

    • _get_hash_algorithm_from_oid(): Maps OID strings to hash algorithms
    • _extract_pe_hash_from_spc_indirect_data(): Parses SPC structure for hash
    • _extract_certificates_from_pkcs7(): Extracts X.509 certificates
    • _verify_pkcs7_signature(): Performs full cryptographic verification
    • compute_authenticode_hash(): Flexible hash computation with configurable algorithm

    Enhanced functions:

    • validate_pkcs7_signatures(): Now performs cryptographic verification
    • main_verify(): Displays certificate details and verification status
    • main_combine(): Validates signatures cryptographically before combining

    Bug fixes:

    • Removed incorrect 8-byte padding from Authenticode hash calculation (padding only applies to WIN_CERTIFICATE structure alignment, not hash data)
    • Consolidated duplicate hash functions into single implementation

    Code improvements:

    • Named constants for all magic numbers in SPC parsing
    • Better documentation and inline comments
    • Proper type annotations with Optional types

    Testing:

    • Verified against Microsoft-signed bootmgfw.efi files
    • Hash computation now matches Windows AppLocker and UEFI firmware
    • Both multi-signature and nested signature modes validated
    • All test cases pass with cryptographic verification

    Follows Microsoft Authenticode PE specification v1.1

    Description

    • Impacts functionality?
    • Impacts security?
    • Breaking change?
    • Includes tests?
    • Includes documentation?

    How This Was Tested

    Ran it against copies of bootmgfw.efi and hellouefi.efi that were both singly signed and

    Integration Instructions

    N/A




Full Changelog: v1.6.3...v1.6.4

What's Changed

  • pip: bump ruff from 0.14.14 to 0.15.0 by @dependabot[bot] in #345
  • pip: bump ruff from 0.15.0 to 0.15.1 by @dependabot[bot] in #348
  • Add cryptographic verification to authenticode_transplant.py by @Flickdm in #326
  • pip: bump cryptography from 43.0.0 to 46.0.5 by @dependabot[bot] in #349
  • Repo File Sync: CodeQL sync and update to Mu DevOps v18.0.3 by @mu-automation[bot] in #352
  • pip: bump ruff from 0.15.1 to 0.15.2 by @dependabot[bot] in #351
  • High Confidence Buckets - 02/25/2026 by @jgeurten in #353
  • pip: bump ruff from 0.15.2 to 0.15.4 by @dependabot[bot] in #356
  • pip: bump edk2-pytool-extensions from 0.30.6 to 0.30.8 by @dependabot[bot] in #357
  • GitHub Action: Bump actions/upload-artifact from 6 to 7 by @dependabot[bot] in #354
  • pip: bump ruff from 0.15.4 to 0.15.5 by @dependabot[bot] in #360
  • Improve Make2023BootableMedia.ps1: auto-download oscdimg, path handling, boot.stl, NTFS enforcement by @ballsop in #361
  • kek update map fixes by @kraxel in #364

New Contributors

Full Changelog: v1.6.3...v1.6.4

v1.6.3-signed

Choose a tag to compare

@Flickdm Flickdm released this 02 Feb 21:34

⚠️ IMPORTANT

No major security fixes.

  1. Additional KEKs provided by ASUS, Acer, Fujitsu, BIOSTAR, TONGFANG, MEDION, Redhat, Microsoft
  2. Bug fixes in auth_var_tool.py

What's Changed

  • [Secure Boot KEK Update] ASUS PK-Signed KEK Update by @ChengAn0519 in #293
  • [Secure Boot KEK Update] ASUS PK-Signed KEK Update by @ChengAn0519 in #295
  • pip: bump pytest from 8.4.2 to 9.0.0 by @dependabot[bot] in #297
  • pip: bump ruff from 0.14.3 to 0.14.4 by @dependabot[bot] in #296
  • auth_var_tool: Fix timestamp handling by @Flickdm in #299
  • Repo File Sync: Update mu_devops from v18.0.0 to v18.0.2 by @mu-automation[bot] in #300
  • pip: bump ruff from 0.14.4 to 0.14.5 by @dependabot[bot] in #307
  • [Secure Boot KEK Update] Acer PK-Signed KEK Update by @bloomlin in #309
  • pip: bump pytest from 9.0.0 to 9.0.1 by @dependabot[bot] in #306
  • [Secure Boot KEK Update] Fujitsu (& FCCL) PK-Signed KEK Update by @akudou1 in #310
  • [Secure Boot KEK Update] Acer PK-Signed KEK Update by @bloomlin in #311
  • [Secure Boot KEK Update] TONGFANG PK-Signed KEK Update by @Faintsnow in #315
  • [Secure Boot KEK Update] BIOSTAR PK-Signed KEK Update by @bloomlin in #316
  • MEDION KEK files added by @MaHoBo in #308
  • Revert "[Secure Boot KEK Update] TONGFANG PK-Signed KEK Update" by @Flickdm in #322
  • pip: bump edk2-pytool-extensions from 0.30.5 to 0.30.6 by @dependabot[bot] in #320
  • pip: bump ruff from 0.14.5 to 0.14.7 by @dependabot[bot] in #329
  • [Secure Boot KEK Update] RedHat PK-Signed KEK Update by @kraxel in #328
  • KEK: Update the get_auth_var_signing_certificate and kek_update_map.json by @Flickdm in #325
  • pip: bump ruff from 0.14.7 to 0.14.8 by @dependabot[bot] in #330
  • pip: bump pytest from 9.0.1 to 9.0.2 by @dependabot[bot] in #332
  • pip: bump edk2-pytool-library from 0.23.10 to 0.23.11 by @dependabot[bot] in #331
  • GitHub Action: Bump actions/checkout from 4 to 6 by @dependabot[bot] in #317
  • [Secure Boot KEK Update] Microsoft PK-Signed KEK Update by @Flickdm in #336
  • [Secure Boot KEK Update] TONGFANG PK-Signed KEK Update by @Faintsnow in #335
  • pip: bump ruff from 0.14.8 to 0.14.9 by @dependabot[bot] in #337
  • GitHub Action: Bump actions/upload-artifact from 4 to 6 by @dependabot[bot] in #334
  • pip: bump ruff from 0.14.9 to 0.14.10 by @dependabot[bot] in #338
  • pip: bump pyasn1 from 0.6.1 to 0.6.2 by @dependabot[bot] in #340
  • pip: bump ruff from 0.14.10 to 0.14.13 by @dependabot[bot] in #341
  • pip: bump ruff from 0.14.13 to 0.14.14 by @dependabot[bot] in #342

New Contributors

Full Changelog: v1.6.2-signed...v1.6.3-signed

v1.6.3

Choose a tag to compare

@mu-automation mu-automation released this 02 Feb 21:35

⚠️ IMPORTANT

No major security fixes.

  1. Additional KEKs provided by ASUS, Acer, Fujitsu, BIOSTAR, TONGFANG, MEDION, Redhat, Microsoft
  2. Bug fixes in auth_var_tool.py

What's Changed

  • [Secure Boot KEK Update] ASUS PK-Signed KEK Update by @ChengAn0519 in #293
  • [Secure Boot KEK Update] ASUS PK-Signed KEK Update by @ChengAn0519 in #295
  • pip: bump pytest from 8.4.2 to 9.0.0 by @dependabot[bot] in #297
  • pip: bump ruff from 0.14.3 to 0.14.4 by @dependabot[bot] in #296
  • auth_var_tool: Fix timestamp handling by @Flickdm in #299
  • Repo File Sync: Update mu_devops from v18.0.0 to v18.0.2 by @mu-automation[bot] in #300
  • pip: bump ruff from 0.14.4 to 0.14.5 by @dependabot[bot] in #307
  • [Secure Boot KEK Update] Acer PK-Signed KEK Update by @bloomlin in #309
  • pip: bump pytest from 9.0.0 to 9.0.1 by @dependabot[bot] in #306
  • [Secure Boot KEK Update] Fujitsu (& FCCL) PK-Signed KEK Update by @akudou1 in #310
  • [Secure Boot KEK Update] Acer PK-Signed KEK Update by @bloomlin in #311
  • [Secure Boot KEK Update] TONGFANG PK-Signed KEK Update by @Faintsnow in #315
  • [Secure Boot KEK Update] BIOSTAR PK-Signed KEK Update by @bloomlin in #316
  • MEDION KEK files added by @MaHoBo in #308
  • Revert "[Secure Boot KEK Update] TONGFANG PK-Signed KEK Update" by @Flickdm in #322
  • pip: bump edk2-pytool-extensions from 0.30.5 to 0.30.6 by @dependabot[bot] in #320
  • pip: bump ruff from 0.14.5 to 0.14.7 by @dependabot[bot] in #329
  • [Secure Boot KEK Update] RedHat PK-Signed KEK Update by @kraxel in #328
  • KEK: Update the get_auth_var_signing_certificate and kek_update_map.json by @Flickdm in #325
  • pip: bump ruff from 0.14.7 to 0.14.8 by @dependabot[bot] in #330
  • pip: bump pytest from 9.0.1 to 9.0.2 by @dependabot[bot] in #332
  • pip: bump edk2-pytool-library from 0.23.10 to 0.23.11 by @dependabot[bot] in #331
  • GitHub Action: Bump actions/checkout from 4 to 6 by @dependabot[bot] in #317
  • [Secure Boot KEK Update] Microsoft PK-Signed KEK Update by @Flickdm in #336
  • [Secure Boot KEK Update] TONGFANG PK-Signed KEK Update by @Faintsnow in #335
  • pip: bump ruff from 0.14.8 to 0.14.9 by @dependabot[bot] in #337
  • GitHub Action: Bump actions/upload-artifact from 4 to 6 by @dependabot[bot] in #334
  • pip: bump ruff from 0.14.9 to 0.14.10 by @dependabot[bot] in #338
  • pip: bump pyasn1 from 0.6.1 to 0.6.2 by @dependabot[bot] in #340
  • pip: bump ruff from 0.14.10 to 0.14.13 by @dependabot[bot] in #341
  • pip: bump ruff from 0.14.13 to 0.14.14 by @dependabot[bot] in #342

New Contributors

Full Changelog: v1.6.2...v1.6.3

v1.6.2-signed

Choose a tag to compare

@Flickdm Flickdm released this 11 Nov 19:08

⚠️ IMPORTANT

No major security fixes.

  1. Additional KEKs provided by ASUS have been submitted
  2. A script to perform Multi Signature support for Secure Boot has been added
  3. Updates to Make2023BootableMedia.ps1 and updating the signed version

What's Changed

  • pip: bump ruff from 0.14.1 to 0.14.2 by @dependabot[bot] in #282
  • Script to perform UEFI multi signatures by @Flickdm in #270
  • pip: bump ruff from 0.14.2 to 0.14.3 by @dependabot[bot] in #283
  • [Secure Boot KEK Update] ASUS PK-Signed KEK Update by @ChengAn0519 in #284
  • Fix issue with ARM64 media, FAT32 USB handling and several other updates by @ballsop in #285
  • [Secure Boot KEK Update] ASUS PK-Signed KEK Update by @ChengAn0519 in #287

New Contributors

Full Changelog: v1.6.1-signed...v1.6.2-signed

v1.6.2

Choose a tag to compare

@mu-automation mu-automation released this 11 Nov 19:07

⚠️ IMPORTANT

No major security fixes.

  1. Additional KEKs provided by ASUS have been submitted
  2. A script to perform Multi Signature support for Secure Boot has been added
  3. Updates to Make2023BootableMedia.ps1 and updating the signed version

What's Changed

  • [Secure Boot KEK Update] ASUS PK-Signed KEK Update @ChengAn0519 (#287)
    Change Details
    Β  ## OEM Certificate Submission

    OEM Name: ASUS
    Contact Email: [email protected]

    Certificate Details

    • Platform Key Thumbprint: 3BEF0726985C1C38CBA54C48A4B2B6EB281D9EE524CA7E1C8D6EE23942896F9A
    • Expiration Date: 2040-01-01

    Testing Completed

    • Windows validation
    • Linux validation

    Security Review

    • No known security issues

    Additional Notes

    Platform Key Thumbprint SHA1:EABCB3D43C0F3353F6396E297A8CBC4EF5F2AD39




  • Fix issue with ARM64 media, FAT32 USB handling and several other updates @ballsop (#285)
    Change Details
    Β  ## Description
    • Fixed issue with ARM64 media being handled as X64 media.
    • FAT32 USB key generation improvements.
    • No longer need to install ADK if not generating ISO images
    • Added DebugOn parameter to easily turn on extra logging output
    • A number of improvements to parameter handling
    • Misc tweaks and optimizations

    How This Was Tested

    • Large number of iterations against current and old media images, including ARM64 media.

      </blockquote>
      <hr>
      
  • [Secure Boot KEK Update] ASUS PK-Signed KEK Update @ChengAn0519 (#284)
    Change Details
    Β  ## OEM Certificate Submission

    OEM Name: ASUS
    Contact Email: [email protected]

    Certificate Details

    • Platform Key Thumbprint: 3F7AD0C7F6D52E501D885A312B232A739EA44709844DA4002EAE5A005A3ABAEF
    • Expiration Date: 2043-11-14

    Testing Completed

    • Windows validation
    • Linux validation

    Security Review

    • No known security issues

    Additional Notes

    Platform Key Thumbprint SHA1:131A78741E5D4152489B838ED8F717FB167D6888




  • Script to perform UEFI multi signatures @Flickdm (#270)
    Change Details
    Β  ## Description

    As the ecosystem is marching towards certificate key expiry, we must standardize and document
    how multiple signatures are expected to work. This PR implements a python script that can take
    two signed binaries and output a third "multi" signed binary.

    It does not appear that the windows authenticode specification dictates how multi-signatures
    are expected to be implemented. In that absence, EDK2 chose to implement multi-signatures
    using multiple WIN_CERTIFICATES according to the PE/COFF specification.
    The UEFI specification describes this as:

    Multiple signatures are allowed to exist in the binary’s certificate table (as per PE/COFF Section β€œAttribute Certificate Table”). 
    

    This PR implements the code to perform the binary manipulation to get the multi signed
    binary in the correct format to be validated by EDK2.

    Additionally, this scripts supports "--nested" which is similar to the "/as" command by SignTool.
    UEFI does not appear to support this today.

    UEFI Style Multi-Signature

    β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
    β”‚                    DOS Header (64 bytes)                    β”‚
    β”‚  Offset 0x3C: PE Header offset                              β”‚
    β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
    β”‚                    DOS Stub                                 β”‚
    β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
    β”‚                    PE Signature "PE\0\0"                    β”‚
    β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
    β”‚                    COFF Header (20 bytes)                   β”‚
    β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
    β”‚                    Optional Header                          β”‚
    β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”    β”‚
    β”‚  β”‚  Magic: 0x010B (PE32) or 0x020B (PE32+)             β”‚    β”‚
    β”‚  β”‚  ... other fields ...                               β”‚    β”‚
    β”‚  β”‚                                                     β”‚    β”‚
    β”‚  β”‚  Data Directories                                   β”‚    β”‚
    β”‚  β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”   β”‚    β”‚
    β”‚  β”‚  β”‚ [4] Security Directory ◄─────────────────────┼───┼────┼──┐
    β”‚  β”‚  β”‚     VirtualAddress: 0xNNNN (file offset)     β”‚   β”‚    β”‚  β”‚
    β”‚  β”‚  β”‚     Size: SSSS bytes (LARGER than source!)   β”‚   β”‚    β”‚  β”‚
    β”‚  β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜   β”‚    β”‚  β”‚
    β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜    β”‚  β”‚
    β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚
    β”‚                    Section Headers                          β”‚  β”‚
    β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚
    β”‚                    .text Section (IDENTICAL to sources)     β”‚  β”‚
    β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚
    β”‚                    .data Section (IDENTICAL to sources)     β”‚  β”‚
    β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚
    β”‚                    .reloc Section (IDENTICAL to sources)    β”‚  β”‚
    β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚
    β”‚                    ... other sections ...                   β”‚  β”‚
    β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚
    β”‚                                                             β”‚  β”‚
    β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚β—„β”€β”˜
    β”‚  β”‚           WIN_CERTIFICATE Structure #1                 β”‚ β”‚ ◄── First Authority
    β”‚  β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”‚ β”‚
    β”‚  β”‚  β”‚ dwLength (4 bytes)     = Size of structure #1    β”‚  β”‚ β”‚
    β”‚  β”‚  β”‚ wRevision (2 bytes)    = 0x0200                  β”‚  β”‚ β”‚
    β”‚  β”‚  β”‚ wCertificateType (2 bytes) = 0x0002 (PKCS#7)     β”‚  β”‚ β”‚
    β”‚  β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚ β”‚
    β”‚  β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”‚ β”‚
    β”‚  β”‚  β”‚    PKCS#7 SignedData from source1.efi            β”‚  β”‚ β”‚
    β”‚  β”‚  β”‚  - Complete, independent PKCS#7 structure        β”‚  β”‚ β”‚
    β”‚  β”‚  β”‚  - Includes cert chain from first signer         β”‚  β”‚ β”‚
    β”‚  β”‚  β”‚  - Timestamp from first signing                  β”‚  β”‚ β”‚
    β”‚  β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚ β”‚
    β”‚  β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”‚ β”‚
    β”‚  β”‚  β”‚ Padding (0-7 bytes for 8-byte alignment)         β”‚  β”‚ β”‚
    β”‚  β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚ β”‚
    β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚
    β”‚                                                             β”‚
    β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ ◄── Second Authority
    β”‚  β”‚           WIN_CERTIFICATE Structure #2                 β”‚ β”‚
    β”‚  β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”‚ β”‚
    β”‚  β”‚  β”‚ dwLength (4 bytes)     = Size of structure #2    β”‚  β”‚ β”‚
    β”‚  β”‚  β”‚ wRevision (2 bytes)    = 0x0200                  β”‚  β”‚ β”‚
    β”‚  β”‚  β”‚ wCertificateType (2 bytes) = 0x0002 (PKCS#7)     β”‚  β”‚ β”‚
    β”‚  β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚ β”‚
    β”‚  β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”‚ β”‚
    β”‚  β”‚  β”‚    PKCS#7 SignedData from source2.efi            β”‚  β”‚ β”‚
    β”‚  β”‚  β”‚  - Complete, independent PKCS#7 structure        β”‚  β”‚ β”‚
    β”‚  β”‚  β”‚  - Includes cert chain from second signer        β”‚  β”‚ β”‚
    β”‚  β”‚  β”‚  - Timestamp from second signing                 β”‚  β”‚ β”‚
    β”‚  β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚ β”‚
    β”‚  β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”‚ β”‚
    β”‚  β”‚  β”‚ Padding (0-7 bytes for 8-byte alignment)         β”‚  β”‚ β”‚
    β”‚  β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚ β”‚
    β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚
    β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                             END OF FILE
    
    Note: The security directory Size field =
          (WIN_CERTIFICATE #1 total size) + (WIN_CERTIFICATE #2 total size)
    

    For details on how to complete these options and their meaning refer to CONTRIBUTING.md.

    • Impacts functionality?
    • Impacts security?
    • Breaking change?
    • Includes tests?
    • Includes documentation?

    How This Was Tested

    Multi signed binary was executed in the following conditions

    w/ nested signature (Microsoft OID) (--nested argument)

    Only primary signature is checked, secondary signature fails

    1. With SB disabled, binary passes validation
    2. With SB enabled
      2.1 DB with 2011 CA & 2023 CA - multi-signed image passes
      2.2 DB with 2011 CA - multi-signed image passes
      2.3 DB with 2023 CA - multi-signed image fails

    Windows can verify this image using standard tooling.

    w/ multiple win_certificates (not spec defined)

    1. With SB disabled, binary passes validation
    2. With SB enabled
      2.1 DB with 2011 CA & 2023 CA - multi-signed image passes
      2.2 DB with 2011 CA - multi-signed image passes
      2.3 DB with 2023 CA - multi-signed image passes

    Windows cannot verify this using standard tooling.

    Integration Instructions

    N/A




  • ...
Read more

v1.6.1-signed

Choose a tag to compare

@Flickdm Flickdm released this 24 Oct 18:12

⚠️ IMPORTANT

DBX Info file had regressions that said the latest SVN was 5.0 despite the binary being updated to 7.0. This has been corrected.

What's Changed

Full Changelog: v1.6.0-signed...v1.6.1-signed

v1.6.1

Choose a tag to compare

@Flickdm Flickdm released this 24 Oct 18:09

⚠️ IMPORTANT

DBX Info file had regressions that said the latest SVN was 5.0 despite the binary being updated to 7.0. This has been corrected.

What's Changed

Full Changelog: v1.6.0...v1.6.1