Secure Boot: Microsoft updates certificates to address vulnerabilities

Secure Boot, an integral part of the UEFI specification, is designed to prevent unauthorized software from running when the system starts. This technology requires your PC to use a UEFI BIOS instead of the old legacy BIOS. With Secure Boot enabled, UEFI firmware only transfers control to bootloaders signed with a certificate stored in the BIOS firmware, which is generally provided by Microsoft, even for Linux bootloaders through the shim component. However, vulnerabilities discovered in 2023 allowed bootkits like BlackLotus to disable protection, rendering Secure Boot ineffective. Microsoft has therefore decided to revoke the certificate used so far to sign Windows bootloaders, requiring new bootloaders signed with a new certificate to be updated in each machine's UEFI firmware.

Microsoft decisions and future impacts

To contain the vulnerabilities, Microsoft announced the revocation of the current certificate for Secure Boot-compatible Windows bootloaders. As a result, new bootloaders will need to be signed with a new certificate, which will need to be recognized by the updated UEFI BIOS. This mechanism will be handled primarily through Windows Update, using the UEFI UpdateCapsule feature to securely update the UEFI BIOS-side certificate database (DBX). However, there are already concerns that this complex operation could run into problems, especially because some security software may prevent the update, and not all firmware may correctly apply the new certificate.

Check the certificates in the UEFI BIOS

Windows does not offer a built-in tool to verify UEFI BIOS-level certificates. You can use PowerShell commands to install a cmdlet and retrieve this information yourself. By using the Install-Module -Name UEFIv2, Set-ExecutionPolicy -ExecutionPolicy RemoteSigned, and Import-Module UEFIv2 commands, you can prepare the environment for extracting certificates. Next, commands like Get-UEFISecureBootCerts DB | fl > $env:USERPROFILE\certificati.txt allow you to save certificates in a text file, which can be opened with Windows Notepad. This allows you to check which certificates are currently stored in your system's UEFI BIOS.

Verifying the bootloader certificate

To determine which certificate is used to sign the bootloader that loads Windows, you can download the Microsoft Sigcheck utility. On a 64-bit Windows system, you copy the "sigcheck64.exe" file to the "c:\sigcheck" folder and run commands in a PowerShell window with administrator rights. Using commands like mountvol U: /sec:\sigcheck\sigcheck64 -i -h U:\EFI\Boot\Bootx64.efi > %userprofile%\bootloader_cert.txt , you can save this information to a text file. By analyzing the file, it is discovered that the Microsoft Windows Production PCA 2011 certificate, which expires in 2026, will be replaced by a new one expiring in 2035. It seems that the new Windows 10 and 11 bootloader will have version number 10.0.26089.1001 and expiry 13 June 2035.