Updating uefi certificates after june 24th

Posted by Exorkog@reddit | sysadmin | View on Reddit | 4 comments

Hi,

Will updating uefi certificates still work after june 24th expiration with Windows update or other means ?

Thanks

[-]

cjcox4@reddit

For many reason, most all UEFI bios's should have a "way" to unprotect things so that you can manually load keys from a visible disk. It's limited to a visible disk, which I think may even have to be fat32 (?). Anyhow, even with virtual bios's (like VMware, etc.) with "settings" you can boot into the bios and manually load PK, KEK, DBX with Windows UEFI der. That is of course a worst case scenario (when you push the clear all TPM data). That is to say, there is "a way" without dependence on Microsoft OS side update and/or firmware update magic, and it certain cases, it's just not going to work any other way. And yes, there is a OS side component to all of this as well, just saying TPM manipulation (though sometimes there is work to unprotect it) can fix this up. For Windows people, disabling bitlocker can help while doing all of this. After TPM is fixed, just reenable bitlocker and it will re-add itself to the TPM, etc. Otherwise, you might find yourself typing in your recovery key manually (kind of a pain).

[-]

thomasmitschke@reddit

Yes

[-]

LousyRaider@reddit

Based on what I’ve read, it sounds like it can still be updated after expiry date has passed. They will still boot with the expired cert as well, it just won’t boot with the secure boot protections applied is how I understand it.

[-]

cacheclyo@reddit

Yeah, this matches what Microsoft’s docs say. The cert expiring doesn’t magically brick the machine or block updates.

Stuff should still boot, and Windows Update can still push the DBX / Secure Boot updates after June 24. The main change is the security posture, not basic functionality. So you won’t lose the ability to fix it later, but you might be running with weaker Secure Boot checks until you do.