Microsoft, in collaboration with its partners, is preparing to roll out new certificates that will set new trust anchors for Secure Boot, a security feature that prevents unauthorized software from running during the boot process. The new certificates will replace the ones that are set to expire in 2026, and will be available as an optional update starting from February 13, 2024.
Secure Boot is a security feature that was introduced with Windows 8, and is based on the Unified Extensible Firmware Interface (UEFI) standard. It works by verifying the digital signature of any software that runs before Windows, such as firmware drivers, bootloaders, applications, and option ROMs. These signatures are checked against a set of trusted keys stored in the UEFI firmware.
Secure Boot helps protect Windows PCs from rootkits and bootkits, which are types of malware that can modify the boot sequence and evade detection by antivirus software. Secure Boot is part of Microsoft’s Trusted Boot security architecture, which also includes Trusted Boot, Early Launch Anti-Malware, and Measured Boot.
How will Microsoft update the Secure Boot keys?
Microsoft, along with its original equipment manufacturer (OEM) partners and the UEFI Forum, will update the Secure Boot keys in phases, starting from February 13, 2024. The keys that will be updated are the Key Exchange Key (KEK), the Allowed Signature Database (DB), and the Disallowed Signature Database (DBX). These keys are used to sign and revoke software that runs before Windows.
The first update will add the Microsoft Windows UEFI CA 2023 to the system DB. This certificate will be used to sign Windows boot components before the expiration of the Windows Production CA 2011. The update will be optional and will require manual installation. Microsoft plans to make the update mandatory during the April 2024 servicing and preview updates.
The second update will replace the UEFI CA 2011 and the Microsoft Corporation KEK CA 2011 with new certificates. These certificates are used to sign third-party software, such as Linux distributions, that run on Windows PCs. The update will begin late 2024 and will be mandatory.
What are the benefits and risks of the update?
The update will ensure that Secure Boot continues to function properly and securely after the expiration of the current certificates in 2026. The update will also enhance the capabilities of the Secure Boot feature and improve the compatibility and performance of the software that runs before Windows.
However, the update also poses some risks and challenges. The update may cause some devices to become unbootable or unreceptive to the DB update, due to bugs in the firmware implementation or configuration. The update may also affect some software that relies on the current certificates, such as custom bootloaders or drivers. Microsoft advises users to back up their data and BitLocker keys before applying the update, and to contact their OEM or software vendor for support if they encounter any issues.