v1.6.2-signed

⚠️ IMPORTANT

No major security fixes.

1. Additional KEKs provided by ASUS have been submitted
2. A script to perform Multi Signature support for Secure Boot has been added
3. Updates to Make2023BootableMedia.ps1 and updating the signed version

What's Changed

• pip: bump ruff from 0.14.1 to 0.14.2 by @dependabot[bot] in #282
• Script to perform UEFI multi signatures by @Flickdm in #270
• pip: bump ruff from 0.14.2 to 0.14.3 by @dependabot[bot] in #283
• [Secure Boot KEK Update] ASUS PK-Signed KEK Update by @ChengAn0519 in #284
• Fix issue with ARM64 media, FAT32 USB handling and several other updates by @ballsop in #285
• [Secure Boot KEK Update] ASUS PK-Signed KEK Update by @ChengAn0519 in #287

New Contributors

• @ChengAn0519 made their first contribution in #284
• @ballsop made their first contribution in #285

Full Changelog: v1.6.1-signed...v1.6.2-signed

v1.6.2

⚠️ IMPORTANT

No major security fixes.

1. Additional KEKs provided by ASUS have been submitted
2. A script to perform Multi Signature support for Secure Boot has been added
3. Updates to Make2023BootableMedia.ps1 and updating the signed version

What's Changed

• [Secure Boot KEK Update] ASUS PK-Signed KEK Update @ChengAn0519 (#287)
  
  Change Details

    ## OEM Certificate Submission

  OEM Name: ASUS
  Contact Email: ChengAn_Chiu@asus.com

  Certificate Details

  • Platform Key Thumbprint: 3BEF0726985C1C38CBA54C48A4B2B6EB281D9EE524CA7E1C8D6EE23942896F9A
  • Expiration Date: 2040-01-01

  Testing Completed

  • Windows validation
  • Linux validation

  Security Review

  • No known security issues

  Additional Notes

  Platform Key Thumbprint SHA1:EABCB3D43C0F3353F6396E297A8CBC4EF5F2AD39
  

  
  

  ---

  
  

• Fix issue with ARM64 media, FAT32 USB handling and several other updates @ballsop (#285)
  
  Change Details

    ## Description

  • Fixed issue with ARM64 media being handled as X64 media.
  • FAT32 USB key generation improvements.
  • No longer need to install ADK if not generating ISO images
  • Added DebugOn parameter to easily turn on extra logging output
  • A number of improvements to parameter handling
  • Misc tweaks and optimizations

  How This Was Tested

  • Large number of iterations against current and old media images, including ARM64 media.

    </blockquote>
    <hr>
    

• [Secure Boot KEK Update] ASUS PK-Signed KEK Update @ChengAn0519 (#284)
  
  Change Details

    ## OEM Certificate Submission

  OEM Name: ASUS
  Contact Email: ChengAn_Chiu@asus.com

  Certificate Details

  • Platform Key Thumbprint: 3F7AD0C7F6D52E501D885A312B232A739EA44709844DA4002EAE5A005A3ABAEF
  • Expiration Date: 2043-11-14

  Testing Completed

  • Windows validation
  • Linux validation

  Security Review

  • No known security issues

  Additional Notes

  Platform Key Thumbprint SHA1:131A78741E5D4152489B838ED8F717FB167D6888
  

  
  

  ---

  
  

• Script to perform UEFI multi signatures @Flickdm (#270)
  
  Change Details

    ## Description

  As the ecosystem is marching towards certificate key expiry, we must standardize and document
  how multiple signatures are expected to work. This PR implements a python script that can take
  two signed binaries and output a third "multi" signed binary.

  It does not appear that the windows authenticode specification dictates how multi-signatures
  are expected to be implemented. In that absence, EDK2 chose to implement multi-signatures
  using multiple WIN_CERTIFICATES according to the PE/COFF specification.
  The UEFI specification describes this as:

  Multiple signatures are allowed to exist in the binary’s certificate table (as per PE/COFF Section “Attribute Certificate Table”). 
  

  This PR implements the code to perform the binary manipulation to get the multi signed
  binary in the correct format to be validated by EDK2.

  Additionally, this scripts supports "--nested" which is similar to the "/as" command by SignTool.
  UEFI does not appear to support this today.

  UEFI Style Multi-Signature

  ┌─────────────────────────────────────────────────────────────┐
  │                    DOS Header (64 bytes)                    │
  │  Offset 0x3C: PE Header offset                              │
  └─────────────────────────────────────────────────────────────┘
  │                    DOS Stub                                 │
  └─────────────────────────────────────────────────────────────┘
  │                    PE Signature "PE\0\0"                    │
  └─────────────────────────────────────────────────────────────┘
  │                    COFF Header (20 bytes)                   │
  └─────────────────────────────────────────────────────────────┘
  │                    Optional Header                          │
  │  ┌─────────────────────────────────────────────────────┐    │
  │  │  Magic: 0x010B (PE32) or 0x020B (PE32+)             │    │
  │  │  ... other fields ...                               │    │
  │  │                                                     │    │
  │  │  Data Directories                                   │    │
  │  │  ┌──────────────────────────────────────────────┐   │    │
  │  │  │ [4] Security Directory ◄─────────────────────┼───┼────┼──┐
  │  │  │     VirtualAddress: 0xNNNN (file offset)     │   │    │  │
  │  │  │     Size: SSSS bytes (LARGER than source!)   │   │    │  │
  │  │  └──────────────────────────────────────────────┘   │    │  │
  │  └─────────────────────────────────────────────────────┘    │  │
  └─────────────────────────────────────────────────────────────┘  │
  │                    Section Headers                          │  │
  └─────────────────────────────────────────────────────────────┘  │
  │                    .text Section (IDENTICAL to sources)     │  │
  └─────────────────────────────────────────────────────────────┘  │
  │                    .data Section (IDENTICAL to sources)     │  │
  └─────────────────────────────────────────────────────────────┘  │
  │                    .reloc Section (IDENTICAL to sources)    │  │
  └─────────────────────────────────────────────────────────────┘  │
  │                    ... other sections ...                   │  │
  └─────────────────────────────────────────────────────────────┘  │
  │                                                             │  │
  │  ┌────────────────────────────────────────────────────────┐ │◄─┘
  │  │           WIN_CERTIFICATE Structure #1                 │ │ ◄── First Authority
  │  │  ┌──────────────────────────────────────────────────┐  │ │
  │  │  │ dwLength (4 bytes)     = Size of structure #1    │  │ │
  │  │  │ wRevision (2 bytes)    = 0x0200                  │  │ │
  │  │  │ wCertificateType (2 bytes) = 0x0002 (PKCS#7)     │  │ │
  │  │  └──────────────────────────────────────────────────┘  │ │
  │  │  ┌──────────────────────────────────────────────────┐  │ │
  │  │  │    PKCS#7 SignedData from source1.efi            │  │ │
  │  │  │  - Complete, independent PKCS#7 structure        │  │ │
  │  │  │  - Includes cert chain from first signer         │  │ │
  │  │  │  - Timestamp from first signing                  │  │ │
  │  │  └──────────────────────────────────────────────────┘  │ │
  │  │  ┌──────────────────────────────────────────────────┐  │ │
  │  │  │ Padding (0-7 bytes for 8-byte alignment)         │  │ │
  │  │  └──────────────────────────────────────────────────┘  │ │
  │  └────────────────────────────────────────────────────────┘ │
  │                                                             │
  │  ┌────────────────────────────────────────────────────────┐ │ ◄── Second Authority
  │  │           WIN_CERTIFICATE Structure #2                 │ │
  │  │  ┌──────────────────────────────────────────────────┐  │ │
  │  │  │ dwLength (4 bytes)     = Size of structure #2    │  │ │
  │  │  │ wRevision (2 bytes)    = 0x0200                  │  │ │
  │  │  │ wCertificateType (2 bytes) = 0x0002 (PKCS#7)     │  │ │
  │  │  └──────────────────────────────────────────────────┘  │ │
  │  │  ┌──────────────────────────────────────────────────┐  │ │
  │  │  │    PKCS#7 SignedData from source2.efi            │  │ │
  │  │  │  - Complete, independent PKCS#7 structure        │  │ │
  │  │  │  - Includes cert chain from second signer        │  │ │
  │  │  │  - Timestamp from second signing                 │  │ │
  │  │  └──────────────────────────────────────────────────┘  │ │
  │  │  ┌──────────────────────────────────────────────────┐  │ │
  │  │  │ Padding (0-7 bytes for 8-byte alignment)         │  │ │
  │  │  └──────────────────────────────────────────────────┘  │ │
  │  └────────────────────────────────────────────────────────┘ │
  └─────────────────────────────────────────────────────────────┘
                           END OF FILE
  
  Note: The security directory Size field =
        (WIN_CERTIFICATE #1 total size) + (WIN_CERTIFICATE #2 total size)
  

  For details on how to complete these options and their meaning refer to CONTRIBUTING.md.

  • Impacts functionality?
  • Impacts security?
  • Breaking change?
  • Includes tests?
  • Includes documentation?

  How This Was Tested

  Multi signed binary was executed in the following conditions

  w/ nested signature (Microsoft OID) (--nested argument)

  Only primary signature is checked, secondary signature fails

  1. With SB disabled, binary passes validation
  2. With SB enabled
     2.1 DB with 2011 CA & 2023 CA - multi-signed image passes
     2.2 DB with 2011 CA - multi-signed image passes
     2.3 DB with 2023 CA - multi-signed image fails

  Windows can verify this image using standard tooling.

  w/ multiple win_certificates (not spec defined)

  1. With SB disabled, binary passes validation
  2. With SB enabled
     2.1 DB with 2011 CA & 2023 CA - multi-signed image passes
     2.2 DB with 2011 CA - multi-signed image passes
     2.3 DB with 2023 CA - multi-signed image passes

  Windows cannot verify this using standard tooling.

  Integration Instructions

  N/A
  

  
  

  ---

  
  

...

v1.6.1-signed

⚠️ IMPORTANT

DBX Info file had regressions that said the latest SVN was 5.0 despite the binary being updated to 7.0. This has been corrected.

What's Changed

• pip: bump edk2-pytool-library from 0.23.8 to 0.23.10 by @dependabot[bot] in #275
• pip: bump ruff from 0.14.0 to 0.14.1 by @dependabot[bot] in #276
• pip: bump edk2-pytool-extensions from 0.30.3 to 0.30.5 by @dependabot[bot] in #277
• Fix SVN Regressions by @Flickdm in #279

Full Changelog: v1.6.0-signed...v1.6.1-signed

v1.6.1

⚠️ IMPORTANT

DBX Info file had regressions that said the latest SVN was 5.0 despite the binary being updated to 7.0. This has been corrected.

What's Changed

• pip: bump edk2-pytool-library from 0.23.8 to 0.23.10 by @dependabot[bot] in #275
• pip: bump ruff from 0.14.0 to 0.14.1 by @dependabot[bot] in #276
• pip: bump edk2-pytool-extensions from 0.30.3 to 0.30.5 by @dependabot[bot] in #277
• Fix SVN Regressions by @Flickdm in #279

Full Changelog: v1.6.0...v1.6.1

v1.6.0-signed

⚠️ IMPORTANT

Signed DBX and Revocations have been updated to include the revocations for Igel* - see #272

Updating post signed folder with signed DB update packages for 3P UEFI CA and Option ROM CA - see
#226

Bumping SVN revocation for Windows bootmgr from 5 to 7 - see
#263

What's Changed

• Fix dbx_info_msft_06_10_25.json cert file name by @dinhngtu in #223
• Make2023BootableMedia.ps1 handle spaces in ISOPath by @christophvw in #210
• Create pipeline to validate DBX JSON certificate references by @Copilot in #225
• pip: bump ruff from 0.11.12 to 0.12.0 by @dependabot[bot] in #227
• Repo File Sync: synced file(s) with microsoft/mu_devops by @mu-automation[bot] in #229
• pip: bump pytest from 8.4.0 to 8.4.1 by @dependabot[bot] in #228
• Updating Post signed folder with signed db update packages for 3P CAs. by @SochiOgbuanya in #226
• Fix "Lable" misspelling in Make2023BootableMedia.ps1 by @Copilot in #221
• Repo File Sync: Update to Mu DevOps v15.0.3 by @mu-automation[bot] in #235
• pip: bump ruff from 0.12.0 to 0.12.1 by @dependabot[bot] in #234
• pip: bump ruff from 0.12.1 to 0.12.2 by @dependabot[bot] in #237
• Feature: Authenticated Variable Tooling by @Flickdm in #236
• pip: bump ruff from 0.12.2 to 0.12.3 by @dependabot[bot] in #239
• pip: bump ruff from 0.12.3 to 0.12.4 by @dependabot[bot] in #240
• pip: bump ruff from 0.12.4 to 0.12.7 by @dependabot[bot] in #241
• pip: bump ruff from 0.12.7 to 0.12.8 by @dependabot[bot] in #244
• Update InstallSecureBootKeys.ps1 by @serock in #246
• pip: bump ruff from 0.12.8 to 0.12.9 by @dependabot[bot] in #247
• Repo File Sync: Update to Mu DevOps v16.0.0 by @mu-automation[bot] in #248
• pip: bump ruff from 0.12.9 to 0.12.10 by @dependabot[bot] in #249
• Repo File Sync: Update workflows to mu_devops v17 by @mu-automation[bot] in #251
• Repo File Sync: Update workflows to v17.0.1 by @mu-automation[bot] in #252
• pip: bump ruff from 0.12.10 to 0.12.11 by @dependabot[bot] in #253
• GitHub Action: Bump actions/setup-python from 5 to 6 by @dependabot[bot] in #254
• pip: bump pytest from 8.4.1 to 8.4.2 by @dependabot[bot] in #256
• pip: bump ruff from 0.12.11 to 0.12.12 by @dependabot[bot] in #257
• Repo File Sync: Update to Mu DevOps v18.0.0 by @mu-automation[bot] in #258
• pip: bump ruff from 0.13.0 to 0.13.1 by @dependabot[bot] in #259
• Bumping SVN revocation for Windows bootmgr from 5 to 7 by @SochiOgbuanya in #263
• pip: bump ruff from 0.13.1 to 0.13.2 by @dependabot[bot] in #262
• Clean up Post Signed Objects Branch by @Flickdm in #265
• pip: bump edk2-pytool-library from 0.23.2 to 0.23.8 by @dependabot[bot] in #266
• pip: bump edk2-pytool-extensions from 0.29.2 to 0.30.2 by @dependabot[bot] in #268
• pip: bump ruff from 0.13.2 to 0.14.0 by @dependabot[bot] in #267
• Repo File Sync: Update deps ignored in dependabot config by @mu-automation[bot] in #269
• pip: bump edk2-pytool-extensions from 0.30.2 to 0.30.3 by @dependabot[bot] in #271
• Updating Post signed DBX folder with latest revocation of vulnerable IGEL shims by @SochiOgbuanya in #272

New Contributors

• @dinhngtu made their first contribution in #223
• @christophvw made their first contribution in #210
• @Copilot made their first contribution in #225
• @serock made their first contribution in #246

Full Changelog: v1.5.1-signed...1.6.0-signed

What's Changed

• Fix dbx_info_msft_06_10_25.json cert file name by @dinhngtu in #223
• Make2023BootableMedia.ps1 handle spaces in ISOPath by @christophvw in #210
• Create pipeline to validate DBX JSON certificate references by @Copilot in #225
• pip: bump ruff from 0.11.12 to 0.12.0 by @dependabot[bot] in #227
• Repo File Sync: synced file(s) with microsoft/mu_devops by @mu-automation[bot] in #229
• pip: bump pytest from 8.4.0 to 8.4.1 by @dependabot[bot] in #228
• Updating Post signed folder with signed db update packages for 3P CAs. by @SochiOgbuanya in #226
• Fix "Lable" misspelling in Make2023BootableMedia.ps1 by @Copilot in #221
• Repo File Sync: Update to Mu DevOps v15.0.3 by @mu-automation[bot] in #235
• pip: bump ruff from 0.12.0 to 0.12.1 by @dependabot[bot] in #234
• pip: bump ruff from 0.12.1 to 0.12.2 by @dependabot[bot] in #237
• Feature: Authenticated Variable Tooling by @Flickdm in #236
• pip: bump ruff from 0.12.2 to 0.12.3 by @dependabot[bot] in #239
• pip: bump ruff from 0.12.3 to 0.12.4 by @dependabot[bot] in #240
• pip: bump ruff from 0.12.4 to 0.12.7 by @dependabot[bot] in #241
• pip: bump ruff from 0.12.7 to 0.12.8 by @dependabot[bot] in #244
• Update InstallSecureBootKeys.ps1 by @serock in #246
• pip: bump ruff from 0.12.8 to 0.12.9 by @dependabot[bot] in #247
• Repo File Sync: Update to Mu DevOps v16.0.0 by @mu-automation[bot] in #248
• pip: bump ruff from 0.12.9 to 0.12.10 by @dependabot[bot] in #249
• Repo File Sync: Update workflows to mu_devops v17 by @mu-automation[bot] in #251
• Repo File Sync: Update workflows to v17.0.1 by @mu-automation[bot] in #252
• pip: bump ruff from 0.12.10 to 0.12.11 by @dependabot[bot] in #253
• GitHub Action: Bump actions/setup-python from 5 to 6 by @dependabot[bot] in #254
• pip: bump pytest from 8.4.1 to 8.4.2 by @dependabot[bot] in #256
• pip: bump ruff from 0.12.11 to 0.12.12 by @dependabot[bot] in #257
• Repo File Sync: Update to Mu DevOps v18.0.0 by @mu-automation[bot] in #258
• pip: bump ruff from 0.13.0 to 0.13.1 by @dependabot[bot] in #259
• Bumping SVN revocation for Windows bootmgr from 5 to 7 by @SochiOgbuanya in #263
• pip: bump ruff from 0.13.1 to 0.13.2 by @dependabot[bot] in #262
• Clean up Post Signed Objects Branch by @Flickdm in #265
• pip: bump edk2-pytool-library from 0.23.2 to 0.23.8 by @dependabot[bot] in #266
• pip: bump edk2-pytool-extensions from 0.29.2 to 0.30.2 by @dependabot[bot] in #268
• pip: bump ruff from 0.13.2 to 0.14.0 by @dependabot[bot] in https://github.com/microsoft/secureboot_obje...

v1.6.0

⚠️ IMPORTANT

Signed DBX and Revocations have been updated to include the revocations for Igel* - see #272

Updating post signed folder with signed DB update packages for 3P UEFI CA and Option ROM CA - see
#226

Bumping SVN revocation for Windows bootmgr from 5 to 7 - see
#263

What's Changed

• Updating Post signed DBX folder with latest revocation of vulnerable IGEL shims @SochiOgbuanya (#272)
  
  Change Details

    ## Description

  Secure Boot Bypass due to vulnerable IGEL Linux shims

  Attacker who has gained physical access to the device can plant vulnerable shims that allow loading older Linux loader which in turn loads unsigned Kernel. It is integrity bypass for boot code.

  • Impacts functionality?
  • Impacts security?
  • Breaking change?
  • Includes tests?
  • Includes documentation?

  How This Was Tested

  Verified by trying to boot using vulnerable IGEL boot module to ensure the modules are blocked from booting on Secure boot enabled system

  Integration Instructions

  N/A

    </blockquote>
    <hr>
  </details>
  

• Clean up Post Signed Objects Branch @Flickdm (#265)
  
  Change Details

    ## Description

  Cleaning up documentation to point to the Wiki.

  Additionally,

  • Deleted uncessary copy of kek_update_map.json
  • Fixing auth_var_tool.py so it creates the output folder if it doesn't exist

  For details on how to complete these options and their meaning refer to CONTRIBUTING.md.

  • Impacts functionality?
  • Impacts security?
  • Breaking change?
  • Includes tests?
  • Includes documentation?

  How This Was Tested

  Local testing to verify functionality of wiki

  Integration Instructions

  N/A
  

  
  

  ---

  
  

• Bumping SVN revocation for Windows bootmgr from 5 to 7 @SochiOgbuanya (#263)
  
  Change Details

    ## Description

  Windows bootmgr svn revocation bumped from 5 to 7 as Windows Boot Manager can be rolled back to previous vulnerable version to trigger Secure boot rollback.

  For details on how to complete these options and their meaning refer to CONTRIBUTING.md.

  • Impacts functionality? No
  • Impacts security? Yes
  • Breaking change?
  • Includes tests? No
  • Includes documentation? No

  How This Was Tested

  Booted to latest Windows version and blocked affected versions

  Integration Instructions

  N/A

    </blockquote>
    <hr>
  </details>
  

• Update InstallSecureBootKeys.ps1 @serock (#246)
  
  Change Details

    Fixes #245

  Description

  Changed "$esult" to "$Result" so that the script can properly determine if the DBX was enrolled successfully.

  • Impacts functionality?
  • Impacts security?
  • Breaking change?
  • Includes tests?
  • Includes documentation?

  How This Was Tested

  Tested on a Dell Inspiron 3847 with the MicrosoftAndThirdParty/Firmware files from https://github.com/microsoft/secureboot_objects/releases/download/v1.5.1/edk2-x64-secureboot-binaries.zip and a customized DBX.bin file.

  Integration Instructions

  N/A

    </blockquote>
    <hr>
  </details>
  

• Feature: Authenticated Variable Tooling @Flickdm (#236)
  
  Change Details

    ## Description This pull request introduces two major updates: a CLI utility for working with secure boot objects in the operating system and a test script to generate test certificates to debug and work with a platform. These scripts can be used to perform the full end to end secure boot workflow in two configurations - local signing, or remote signing.

  Full chain usage will be added to the WIKI and a link will be added here.

  • Impacts functionality?
  • Impacts security?
  • Breaking change?
  • Includes tests?
  • Includes documentation?
    https://github.com/microsoft/secureboot_objects/wiki/Secure-Boot-Workflow#secure-boot-workflow-setup-mode-key-installation-and-management

  How This Was Tested

  Local Testing on Devkit

  Integration Instructions

  N/A
  

  
  

  ---

  
  

• Fix "Lable" misspelling in Make2023BootableMedia.ps1 @[copilot-swe-agent[bot]](https://github.com/apps/copilot-swe-agent) (#221)
  
  Change Details

    Fixed multiple spelling errors in the PowerShell script `Make2023BootableMedia.ps1`:

  Primary fix:

  • Corrected ISO_Lable to ISO_Label throughout the script (4 occurrences on lines 230, 718, 719, and 725)
  • This ensures consistency with the correctly spelled variable declaration on line 806

  Additional spelling corrections:

  • Fixed "Avalable" to "Available" in ADK requirement message (line 76)
  • Fixed "defualt" to "default" in comment (line 717)
  • Fixed "$ISOLable" to "$ISOLabel" in comment (line 717)

  The variable name inconsistency could have caused runtime errors when the script attempts to reference $global:ISO_Label but some parts of the code were setting $global:ISO_Lable. All variable references now use the correct spelling ISO_Label.

  Fixes #220.

  ---

  💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.
  

  
  

  ---

  
  

• Updating Post signed folder with signed db update packages for 3P CAs. @SochiOgbuanya (#226)
  
  Change Details

    ## Description

  Updating post signed folder with signed DB update packages for 3P UEFI CA and Option ROM CA

  Added db update packages for 3P UEFI CA 2023 and Option ROM CA 2023 to post signed folder.
  Moved older json to archives.

  • Impacts functionality?
  • Impacts security?
  • Breaking change?
  • Includes tests?
  • Includes documentation?

  How This Was Tested

  Updated on local machines and @hughsie tested via fwupd

  Integration Instructions

  FIrmware does not require this payload however third party operating systems may
  

  
  

  ---

  
  

• Create pipeline to validate DBX JSON certificate references @[copilot-swe-agent[bot]](https://github.com/apps/copilot-swe-agent) (#225)
  
  Change Details

    This PR implements a validation pipeline to ensure that DBX JSON files reference certificate files that actually exist in the `PreSignedObjects/DBX/Certificates` folder.

  Problem

  When new DBX JSON files are created, the internal certificate names referenced in the JSON don't always match the external filenames in the Certificates folder, and there was no validation to catch these mismatches. For example, the current dbx_info_msft_06_10_25.json references WindowsProduction2011.cer but the actual file is named MicWinProPCA2011_2011-10-19.der.

  Solution

  Added a new validation script and CI pipeline step that:

  1. Finds the latest DBX JSON file - Automatically locates dbx_info_msft_<date>.json files
  2. Validates certificate references - Checks that all certificates listed in the "certificates" array actually exist in the Certificates folder
  3. Provides clear error messages - Shows exactly which certificates are missing and lists available files for debugging
  4. Handles edge cases - Gracefully handles missing certificates sections, malformed JSON, etc.

  Changes Made

  New Files

  • scripts/validate_dbx_references.py - Main validation script with CLI interface
  • scripts/test_validate_dbx_references.py - Comprehensive unit tests (7 test cases)

  CI Integration

  • Added validation step to .github/workflows/prepare-binaries.yml after unit tests
  • Pipeline will now fail on PR/release if certificate references are invalid

  Other

  • Fixed .gitignore to properly exclude __pycache__ directories
  • Removed accidentally committed cache files

  Testing

  # Current mismatch is detected
  $ python scripts/validate_dbx_references.py PreSignedObjects/DBX
  ERROR: Certificate file 'WindowsProduction2011.cer' referenced in JSON but not found in PreSignedObjects/DBX/Certificates
  INFO: Available certificate files:
  INFO:   - MicWinProPC...

v1.5.1-signed

TLDR

⚠️ IMPORTANT

• Signed DBX and Revocations have been updated to include the revocations for DtBios* - see #214
• Template support was added to add additional templates that a platform can use to customize the template they require
• Release 1.5.0 failed due to a expired token. This was fixed in #219 however the tags were left behind - see #218

What's Changed

• pip: bump ruff from 0.9.6 to 0.9.7 by @dependabot in #172
• pip: bump edk2-pytool-extensions from 0.28.2 to 0.28.3 by @dependabot in #173
• Update the Readme by @Flickdm in #179
• pip: bump edk2-pytool-extensions from 0.28.3 to 0.28.5 by @dependabot in #177
• pip: bump pytest from 8.3.4 to 8.3.5 by @dependabot in #176
• pip: bump ruff from 0.9.7 to 0.9.9 by @dependabot in #175
• pip: bump ruff from 0.9.9 to 0.11.0 by @dependabot in #184
• Publishing Script to make 2023 Boot Media from existing ISOs by @Flickdm in #183
• RustToolChain: Bump RustToolChain from 1.80 to 1.84. by @uefibot in #187
• Repo File Sync: synced file(s) with microsoft/mu_devops by @uefibot in #190
• Clean up SecureBoot Schema and Revocation JSON by @Flickdm in #191
• pip: bump ruff from 0.11.2 to 0.11.4 by @dependabot in #192
• Basic powershell installation script for installing Secure Boot Keys by @Flickdm in #193
• Secure Boot Default Templates by @Flickdm in #174
• pip: bump ruff from 0.11.4 to 0.11.5 by @dependabot in #194
• pip: bump ruff from 0.11.4 to 0.11.6 by @dependabot in #197
• Repo File Sync: synced file(s) with microsoft/mu_devops by @mu-automation in #202
• pip: bump ruff from 0.11.6 to 0.11.7 by @dependabot in #201
• Update templates by @Flickdm in #199
• pip: bump ruff from 0.11.7 to 0.11.8 by @dependabot in #204
• Secure Boot Kek Update Files by @Flickdm in #195
• pip: bump ruff from 0.11.8 to 0.11.9 by @dependabot in #205
• pip: bump ruff from 0.11.9 to 0.11.10 by @dependabot in #206
• pip: bump ruff from 0.11.10 to 0.11.11 by @dependabot in #207
• Synced yml file(s) with microsoft/mu_devops, updated rust toolchain version and edition by @mu-automation in #208
• Repo File Sync: Update mu_devops workflow tags to 15.0.1 by @mu-automation in #209
• pip: bump ruff from 0.11.11 to 0.11.12 by @dependabot in #212
• pip: bump pytest from 8.3.5 to 8.4.0 by @dependabot in #211
• Updating DBX update package with the latest revocations by @SochiOgbuanya in #214
• Keep LegacyFirmwareDefaults.toml around for legacy firmware builds by @Flickdm in #213
• Update non-Default GitHub token usage to Mu GitHub app by @apop5 in #219

New Contributors

• @mu-automation made their first contribution in #202
• @apop5 made their first contribution in #219

Full Changelog: v1.4.0-signed...v1.5.1-signed

v1.5.1

TLDR

⚠️ IMPORTANT

• Signed DBX and Revocations have been updated to include the revocations for DtBios* - see #214
• Template support was added to add additional templates that a platform can use to customize the template they require
• Release 1.5.0 failed due to a expired token. This was fixed in #219 however the tags were left behind - see #218

What's Changed

• pip: bump ruff from 0.9.6 to 0.9.7 by @dependabot in #172
• pip: bump edk2-pytool-extensions from 0.28.2 to 0.28.3 by @dependabot in #173
• Update the Readme by @Flickdm in #179
• pip: bump edk2-pytool-extensions from 0.28.3 to 0.28.5 by @dependabot in #177
• pip: bump pytest from 8.3.4 to 8.3.5 by @dependabot in #176
• pip: bump ruff from 0.9.7 to 0.9.9 by @dependabot in #175
• pip: bump ruff from 0.9.9 to 0.11.0 by @dependabot in #184
• Publishing Script to make 2023 Boot Media from existing ISOs by @Flickdm in #183
• RustToolChain: Bump RustToolChain from 1.80 to 1.84. by @uefibot in #187
• Repo File Sync: synced file(s) with microsoft/mu_devops by @uefibot in #190
• Clean up SecureBoot Schema and Revocation JSON by @Flickdm in #191
• pip: bump ruff from 0.11.2 to 0.11.4 by @dependabot in #192
• Basic powershell installation script for installing Secure Boot Keys by @Flickdm in #193
• Secure Boot Default Templates by @Flickdm in #174
• pip: bump ruff from 0.11.4 to 0.11.5 by @dependabot in #194
• pip: bump ruff from 0.11.4 to 0.11.6 by @dependabot in #197
• Repo File Sync: synced file(s) with microsoft/mu_devops by @mu-automation in #202
• pip: bump ruff from 0.11.6 to 0.11.7 by @dependabot in #201
• Update templates by @Flickdm in #199
• pip: bump ruff from 0.11.7 to 0.11.8 by @dependabot in #204
• Secure Boot Kek Update Files by @Flickdm in #195
• pip: bump ruff from 0.11.8 to 0.11.9 by @dependabot in #205
• pip: bump ruff from 0.11.9 to 0.11.10 by @dependabot in #206
• pip: bump ruff from 0.11.10 to 0.11.11 by @dependabot in #207
• Synced yml file(s) with microsoft/mu_devops, updated rust toolchain version and edition by @mu-automation in #208
• Repo File Sync: Update mu_devops workflow tags to 15.0.1 by @mu-automation in #209
• pip: bump ruff from 0.11.11 to 0.11.12 by @dependabot in #212
• pip: bump pytest from 8.3.5 to 8.4.0 by @dependabot in #211
• Updating DBX update package with the latest revocations by @SochiOgbuanya in #214
• Keep LegacyFirmwareDefaults.toml around for legacy firmware builds by @Flickdm in #213
• Update non-Default GitHub token usage to Mu GitHub app by @apop5 in #219

New Contributors

• @mu-automation made their first contribution in #202
• @apop5 made their first contribution in #219

Full Changelog: v1.4.0...v1.5.1

v1.4.0-signed

(Runtime) Official Signed Microsoft Secure Boot payloads

Operating systems or systems where secure boot is enabled, may use these binaries to update Secure Boot

TLDR

⚠️ IMPORTANT

There was a decision to remove all Windows hashes from the DBX in the previous release to save space in flash since revoking by certificate is the recommended method of revocation for complete protection against Black Lotus.

While a valid decision, to prevent against confusion and regression for users who are not aware of this change, the Windows hashes will be re-included in the signed DBX update files.

For easy verification either compare the revocation list against the receipts or compare the firmware payloads receipt (or binary file) against the signed version to see the only additional data is the signature. The hashes are as expected.

Please visit our wiki and Manufacturing and Operationing System Instructions for more information

What's Changed

• pip: bump edk2-pytool-extensions from 0.28.0 to 0.28.2 by @dependabot in #166
• pip: bump ruff from 0.9.3 to 0.9.6 by @dependabot in #165
• Adding receipts for the firmware binaries by @Flickdm in #169
• Updates DBX signed binaries to re-include windows hashes by @Flickdm in #170
• Adding versioning rules by @Flickdm in #171

Full Changelog: v1.3.1-signed...v1.4.0-signed

v1.4.0

(Firmware) Official Microsoft Unsigned Secure Boot Payloads

These binaries may be used in a firmware environment where Secure Boot is in SETUP mode and the firmware has direct access to write to the UEFI Variables.

TLDR

This release does not include additional hashes but is being made to keep in lock step with the signed payloads.
This release does add additional receipts to each payload for easy verification.

Please visit our wiki and Manufacturing and Operationing System Instructions for more information

What's Changed

• pip: bump edk2-pytool-extensions from 0.28.0 to 0.28.2 by @dependabot in #166
• pip: bump ruff from 0.9.3 to 0.9.6 by @dependabot in #165
• Adding receipts for the firmware binaries by @Flickdm in #169
• Updates DBX signed binaries to re-include windows hashes by @Flickdm in #170
• Adding versioning rules by @Flickdm in #171

Full Changelog: v1.3.1...v1.4.0