SecureBoot "Firmware_MissingKEKInPackage" - I assume I'm screwed and need new hardware?

Posted by segagamer@reddit | sysadmin | View on Reddit | 5 comments

Two of our Supermicro servers are fairly old - SuperMicro X10SRi-F. I was denied replacing them last two budget meetings.

Was wrapping up the last of our devices today and decided to tackle these servers, and found that HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing\KEKLastUpdateErrorReason is reporting Firmware_MissingKEKInPackage, with everything else listed as "InProgress" or "RebootRequired".

It looks like I'm able to manually load in KEK's in the BIOS, so I'm wondering if it's possible to just... obtain the certs I need and load them in. I assume I'm at Supermicro's mercy with this?

I also assume that I should be fine until October? I'm trying to get up to speed here (yes I know I've had since 2024).

[-]

hunter1BadPassword@reddit

What value does UEFICA2023Status and UEFICA2023Error have?

HotPieFactory@reddit

UEFI requires to have KEK and KEKDefault variables. The KEKDefault is read-only and contains the default KEK variables. So if they are missing and the UEFI is implemented correctly, you're able to add them from there.

Typically, the firmware allows you to reset the variables in the GUI, too.

segagamer@reddit (OP)

The firmware version is from 2001, so reseting to Default wouldn't help. Do Microsoft provide their own KEK that I can load into the UEFI?

TerrorToadx@reddit

Idk what supermicro is but yes you can download the new KEK cert from Microsoft and install it in bios

TuxAndrew@reddit

Servers