Hi, > (I believe on a UEFI Secure Boot VM it's shown)
The default secure boot variable store template shipped by fedora includes the 2023 keys for roughly one year, so VMs younger than that and fresh installs should have them. > For instance, my device, a Dell laptop, for which fwupd recognizes: > the firmware (which I update via a built in Bios flash utility), the > dbx (updated via fwupd) and a mysterious "Dell Platform Key", which > might be Microsoft's certificate along with some other Dell stuff. The update is a two-step process. First enroll the new microsoft KEK key, which needs a signature with the platform keys of the vendor. Microsoft has published tons of updates for various vendors here: https://github.com/microsoft/secureboot_objects/tree/main/PostSignedObjects/KEK Second enroll the new microsoft db keys, with the update being signed with the new microsoft KEK key. fwupd should be able to handle both updates. I'm not sure whenever that is live already or still in the testing phase. If you are up for experiments you can try apply the updates manually using the signed files from the repo listed above. efi-updatevar (efitools.rpm) should be able to do it. Problem with that is not so much linux, but that a KEK update has never happened before so there are chances that bios vendors messed up things and updating the KEK doesn't work. Also not sure how good older hardware is covered. take care, Gerd -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
