On 11/5/24 9:46 AM, Doug Flick via groups.io wrote:
Hey Rebecca!
We actually have the following repo on github/secureboot_objects
<https://github.com/microsoft/secureboot_objects> where you can get
Secure Boot default releases and ask questions directly to the team
that manages secure boot at Microsoft.
To answer your question,
The 2011 certificates are expiring in 2026 so we're beginning a
transition away from them.
The expiring certificates are:
|DB: Microsoft Windows Production PCA 2011 DB: Microsoft Corporation
UEFI CA 2011 (Third Party) KEK: Microsoft Corporation KEK CA 2011 |
The new certificates are:
|DB: Windows UEFI CA 2023 DB: Microsoft UEFI CA 2023 (Third Party) DB:
Microsoft Option ROM UEFI CA 2023 (Only Option Roms (New behavior
meant to improve configurability)) KEK: Microsoft Corporation KEK 2K
CA 2023 |
Right now the guidance is to include both sets of certificates to
provide the most compatibility during the transition and then at a
point further in the future we'll begin remove the 2011 certificates
from the default.
Thanks! I was wondering if you know whether anyone's considered adding
the repo as a submodule of edk2, probably somewhere under CryptoPkg?
--
Rebecca
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#120759): https://edk2.groups.io/g/devel/message/120759
Mute This Topic: https://groups.io/mt/109402104/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
