Microsoft's Secure Boot, a critical security feature introduced with Windows 8, is undergoing significant updates to its certificate infrastructure to maintain system integrity and trustworthiness. This initiative addresses the impending expiration of existing certificates and enhances defenses against emerging threats.
Secure Boot operates within the Unified Extensible Firmware Interface (UEFI) to ensure that only trusted software is executed during the system's startup process. It achieves this by verifying the digital signatures of boot components against a set of trusted certificates stored in the UEFI firmware. This mechanism is pivotal in preventing unauthorized code, such as rootkits and bootkits, from compromising the boot sequence.
The trust model of Secure Boot is built upon a hierarchical structure of certificates:
Source: Microsoft Support Windows Secure Boot certificate expiration and CA updates - Microsoft Support
Understanding Secure Boot and Its Certificate Hierarchy
Secure Boot operates within the Unified Extensible Firmware Interface (UEFI) to ensure that only trusted software is executed during the system's startup process. It achieves this by verifying the digital signatures of boot components against a set of trusted certificates stored in the UEFI firmware. This mechanism is pivotal in preventing unauthorized code, such as rootkits and bootkits, from compromising the boot sequence.The trust model of Secure Boot is built upon a hierarchical structure of certificates:
- Platform Key (PK): Managed by the Original Equipment Manufacturer (OEM), the PK authorizes updates to the Key Exchange Key (KEK) database.
- Key Exchange Key (KEK): This key signs updates to both the Allowed Signature Database (DB) and the Forbidden Signature Database (DBX).
- Allowed Signature Database (DB): Contains trusted certificates for bootloader modules.
- Forbidden Signature Database (DBX): Lists revoked or untrusted boot components.
- Microsoft Corporation KEK CA 2011: Stored in the KEK database.
- Microsoft Windows Production PCA 2011: Signs the Windows bootloader and resides in the DB.
- Microsoft UEFI CA 2011: Also stored in the DB, it signs third-party OS and hardware driver components.
The Impending Certificate Expiration and Microsoft's Response
The expiration of the aforementioned certificates poses a significant risk: devices relying on these certificates may fail to boot securely post-expiration. To mitigate this, Microsoft, in collaboration with ecosystem partners, has initiated a phased rollout of replacement certificates to establish new UEFI Certificate Authority (CA) trust anchors.Introduction of New Certificates
Microsoft is introducing the following new certificates:- Microsoft Windows UEFI CA 2023: This certificate will replace the expiring Microsoft Windows Production PCA 2011 and will be used to sign Windows boot components.
- Microsoft UEFI CA 2023: Intended to replace the Microsoft UEFI CA 2011, it will sign third-party OS and hardware driver components.
- Microsoft Corporation KEK CA 2023: This will succeed the Microsoft Corporation KEK CA 2011 and will be stored in the KEK database.
Phased Deployment Strategy
The deployment of these new certificates is structured to minimize disruptions:- February 2024: An optional servicing update introduced the Microsoft Windows UEFI CA 2023 to the system DB. This update required manual application and was aimed at validating device and firmware compatibility.
- April 2024: A controlled rollout of the DB update commenced, targeting a broader range of devices ahead of the 2026 certificate expiration.
- Late 2024: Efforts to update the Microsoft UEFI CA 2011 and Microsoft Corporation KEK CA 2011 began, following a similar controlled rollout process.
Implications for Users and Administrators
The transition to new Secure Boot certificates carries several implications:- System Security: Updating to the new certificates is crucial for maintaining the integrity of the boot process and protecting against vulnerabilities like the BlackLotus UEFI bootkit, which exploits weaknesses in Secure Boot.
- Device Compatibility: Not all devices may seamlessly accept the new certificates due to firmware limitations. It's essential to test updates on representative devices within an organization to ensure compatibility.
- Manual Intervention: Some updates require manual steps, such as modifying registry settings and executing specific commands. Administrators should be prepared to perform these actions and provide guidance to end-users as needed.
- BitLocker Considerations: For devices utilizing BitLocker, it's imperative to back up recovery keys before applying updates. This precaution ensures data accessibility in case of boot issues post-update.
Steps to Apply the Secure Boot DB Update
To apply the Secure Boot DB update, follow these steps:- Install the February 2024 (or later) security update.
- Open PowerShell as an administrator and execute the following commands:
Code:Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot" -Name "AvailableUpdates" -Value 0x40 Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update" - Restart the device twice to ensure the update is applied.
- Verify the update by running:
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
A return value ofTrueindicates a successful update.
Conclusion
The proactive update of Secure Boot certificates is a critical measure to maintain the security and functionality of Windows devices. By understanding the certificate hierarchy, recognizing the implications of certificate expiration, and following the prescribed update procedures, users and administrators can ensure a smooth transition to the new trust anchors. Staying informed and vigilant during this process is essential to safeguard systems against potential vulnerabilities and maintain operational integrity.Source: Microsoft Support Windows Secure Boot certificate expiration and CA updates - Microsoft Support
