efi: add Microsoft UEFI CA 2023 data

Note that there aren't any tests for this yet because as far as we're aware, it hasn't been used to sign anything and so there isn't a signing certificate in the wild from which we can create mock binaries in the way that we test image matching with the 2011 CA.
canonical · May 9, 2024 · 1d802e5 · 1d802e5
1 parent 3b38f56
commit 1d802e5
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/efi/image_rules_defs.go b/efi/image_rules_defs.go
@@ -53,6 +53,28 @@ func makeMicrosoftUEFICASecureBootNamespaceRules() *secureBootNamespaceRules {
 			// pubkey alg
 			x509.RSA,
 		),
+		// TODO(chrisccoulson): add tests for this when we find something that it's
+		// been used to sign and we have a signing certificate in the wild that we
+		// can add to embeds_test.go in order to create a mock shim with it
+		withAuthority(
+			// CN=Microsoft UEFI CA 2023,O=Microsoft Corporation,C=US
+			[]byte{
+				0x30, 0x4e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
+				0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x1e, 0x30, 0x1c, 0x06,
+				0x03, 0x55, 0x04, 0x0a, 0x13, 0x15, 0x4d, 0x69, 0x63, 0x72,
+				0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x43, 0x6f, 0x72, 0x70,
+				0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x31, 0x1f, 0x30,
+				0x1d, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x16, 0x4d, 0x69,
+				0x63, 0x72, 0x6f, 0x73, 0x6f, 0x66, 0x74, 0x20, 0x55, 0x45,
+				0x46, 0x49, 0x20, 0x43, 0x41, 0x20, 0x32, 0x30, 0x32, 0x33,
+			},
+			[]byte{
+				0x81, 0xaa, 0x6b, 0x32, 0x44, 0xc9, 0x35, 0xbc, 0xe0, 0xd6,
+				0x62, 0x8a, 0xf3, 0x98, 0x27, 0x42, 0x1e, 0x32, 0x49, 0x7d,
+			},
+			// pubkey alg
+			x509.RSA,
+		),
 		withSelfSignedSignerOnlyForTesting(
 			// O = Snake Oil
 			[]byte{