Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

What does MS KB5025885 mean - have to update to a new shim or have MS resign existing? #680

Closed
TBOpen opened this issue Aug 12, 2024 · 1 comment

Comments

@TBOpen
Copy link

TBOpen commented Aug 12, 2024

They are black listing "Windows Production CA 2011" which is what they signed with just this past year. Do we need to update shim or only send the binary back to MS to be signed with the new CA 2023 version?

https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d#bkmk_mitigation_guidelines

@justinkb
Copy link

$ sbverify -l shimx64.efi
warning: data remaining[823272 vs 949424]: gaps between PE/COFF sections?
signature 1
image signature issuers:
 - /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
image signature certificates:
 - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows UEFI Driver Publisher
   issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
 - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
   issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation Third Party Marketplace Root

it's signed with Microsoft Corporation UEFI CA 2011, not Windows Production CA 2011, there shouldn't be any issue, AFAIK Microsoft Corporation UEFI CA 2011 isn't being blacklisted

@TBOpen TBOpen closed this as completed Aug 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants