It means that during image verification, the boot component that was being verified against failed due to either missing a signature or the certificate or hash has been added to the DBX.
Are you running Windows or Linux?
It means that during image verification, the boot component that was being verified against failed due to either missing a signature or the certificate or hash has been added to the DBX.
Are you running Windows or Linux?
Sadly I do think there is a bit of nuance here. Most systems are based on EDK2 and specifically
github.com/tianocore/ed...
This is "secure boot".
Now an OEM is free to re-implement this however they want and if they did I can't confirm they won't have an issue and they should be testing this.
In practice, firmware does not care about the expiration date and if your system has the trust anchor already it will continue to boot just fine.
Just without the new CA you won't be able to install updates to the signed boot loader and installation media might be a pain.
All it means is that the HSM that stores the key will be unable to sign *new* things.
That CA is used to sign Linux / Option Roms (Graphics Cards, NICs, etc) however there are additional CAs. LVFS is already working to update systems with the new CA
github.com/microsoft/se...
I sent you a message on teams!
02.12.2024 22:26 — 👍 1 🔁 0 💬 0 📌 0I think that should be a relatively easy change. I don't have any personal attachment to those names other than that's the names they were given upstream from me. 🙃
27.11.2024 08:04 — 👍 1 🔁 0 💬 0 📌 0Hey, I just saw your email and I'll respond to you as soon as I can! The quick answer is the payloads on uefi.org are fully formed authenticated variables. Which are great for an operating system but bad for Uefi. github.com/microsoft/se... the releases here don't have those signatures!
27.11.2024 02:15 — 👍 1 🔁 0 💬 2 📌 0
After spending the last few years learning about secure boot - I agree! Let me know if there's anything I can help with!