My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Even Linux users should take a look at this Microsoft KB article.

Published: 2024-08-02. Last Updated: 2024-08-02 20:07:36 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

Secure boot has been a standard feature since at least Windows 8. As the name implies, the feature protects the boot process. The integrity of the boot process is ensured by digitally signing any software ("firmware") used during the boot process. As with any digital signature, this process requires the use of certificates to verify the validity of the signatures.

One issue with Secure Boot has been that not all boot loaders are necessarily properly signed, even if they are not malicious. In particular, open-source operating systems like Linux initially had problems with Secure Boot support. However, this has mostly been mitigated with major distributions like Ubuntu and Redhat (among others) supporting Secure Boot.

However, as always, when certificates are involved, there is the possibility of certificates expiring. Microsoft currently relies on certificates known as "Windows Production CA 2011". There are two of them, and as the name implies, this certificate was first used around 2011. Windows 8 was released in 2012. Let's look at one of the two certificate s[1]

% openssl x509 -in MicWinProPCA2011_2011-10-19.crt -text

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            61:07:76:56:00:00:00:00:00:08
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010
        Validity
            Not Before: Oct 19 18:41:42 2011 GMT
            Not After : Oct 19 18:51:42 2026 GMT
...

It will expire in 2026. Firmware signed before the expiration date will remain valid. So it isn't an issue of system all for sudden not being able to boot come October 19th 2026. But ahead of that date, you will see UEFI firmware that is signed using the new 2023 certificates. Again, lets look at one of the two new certificates [2].

% openssl x509 -in MSFT2026.crt -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            33:00:00:00:1a:88:8b:98:00:56:22:84:c1:00:00:00:00:00:1a
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010
        Validity
            Not Before: Jun 13 18:58:29 2023 GMT
            Not After : Jun 13 19:08:29 2035 GMT

...

Microsoft included the new certificates in its July update. But the certificates are not installed automatically. You will need to follow the advice in Microsoft article KB5025885.

If you fail to update, future firmware updates may fail. Some articles about this topic make it sound like your systems will fail to boot in Oct 2026. This is not the case. Firmware signatures using the old certificate authority will remain valid as long as they were issued before the certificate authority expired. 

Linux relies on the same certificate hierarchy. A Linux SHIM is used to verify the boot integrity, and it needs to be updated with new certificates. This process is underway, and you should check for updates with your local Linux distribution. They likely already include the new certificates. It is also a good idea to check if your system's firmware is current.

In addition to the Microsoft KB article, there is a good presentation by Microsoft available at UEFI.org:

https://uefi.org/sites/default/files/resources/Evolving%20the%20Secure%20Boot%20Ecosystem_Flick%20and%20Sutherland.pdf

Microsoft has not yet published an "enforcement date" for the new certificate, but expect it to happen sometime next year.

[important: use these links for "entertainment purposes." You should never rely on a shady website like this one to provide critical cryptographic information.]
[1] https://go.microsoft.com/fwlink/?LinkId=321192
[2] https://go.microsoft.com/fwlink/p/?linkid=2239776

 

 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Keywords:
1 comment(s)
My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Comments


Diary Archives