Hello. No I am not talking about the product key. I am talking about the signing keys in the UEFI firmware. Please look at my earlier link: https://github.com/fwupd/fwupd/wiki/PluginFlag:capsules-unsupported to understand what I mean.
These are the keys that can sign binaries etc. to ensure the integrity of the Secure Boot process. If vulnerable keys etc. are in use, as in this case, they must be removed and update. This can be done on Linux with the fwupdmgr tool for example. My system uses old and vulnerable keys and it must be updated, or else I cannot trust it. As written in the link I posted about the BIOS must allow “capsule updates”. My question is; how to I turn these on on this system?
This is a list from my system with the UEFI capsule updates that currently CANNOT BE PERFORMED, since capsule updates are not allowed:
`
AZW SER
│
├─KEK CA:
│ │ Device ID: b7a1d3d90faa1f6275d9a98da4fb3be7118e61c7
│ │ Current version: 2011
│ │ Vendor: Microsoft (UEFI:Microsoft)
│ │ GUIDs: 814e950f-1449-566a-a190-42c9d3a3a2df ← UEFI\VENDOR_Microsoft&NAME_Microsoft-KEK-CA
│ │ dfa66406-6568-5bdf-bb8e-b53ddb4be4cf ← UEFI\CRT_9F402B1CC0243CBEDC58A525789816CCCA7687A9
│ │ Device Flags: • Internal device
│ │ • Updatable
│ │ • Supported on remote server
│ │ • Needs a reboot after installation
│ │ • Device is usable for the duration of the update
│ │ • Signed Payload
│ │ • Can tag for emulation
│ │
│ ├─Secure Boot KEK Configuration Update:
│ │ New version: 2023
│ │ Remote ID: lvfs
│ │ Release ID: 113893
│ │ Summary: UEFI Secure Boot Key Exchange Key
│ │ Variant: AMI
│ │ License: Proprietary
│ │ Size: 2.8 kB
│ │ Created: 2025-04-29 00:00:00
│ │ Urgency: High
│ │ Vendor: Linux Foundation
│ │ Release Flags: • Trusted metadata
│ │ • Is upgrade
│ │ Description:
│ │ This updates the UEFI Signature Database (the “KEK”) to the latest release from Microsoft, signed by DO NOT TRUST - AMI Test PK.
│ │ Checksum: 103ebd21a803540296daff93fa7e1595bf323b4db78fbc6287aed945ab5965fb
│ │
│ └─Secure Boot KEK Configuration Update:
│ New version: 2023
│ Remote ID: lvfs
│ Release ID: 113905
│ Summary: UEFI Secure Boot Key Exchange Key
│ Variant: ASUS
│ License: Proprietary
│ Size: 2.8 kB
│ Created: 2025-04-29 00:00:00
│ Urgency: High
│ Vendor: Linux Foundation
│ Release Flags: • Trusted metadata
│ • Is upgrade
│ Description:
│ This updates the UEFI Signature Database (the “KEK”) to the latest release from Microsoft, signed by DO NOT TRUST - AMI Test PK.
│ Checksum: 73ea2c69621eec29df454264907a2d3586d57ab2e58b7ff596d013bc37ca1714
│
├─UEFI CA:
│ │ Device ID: 5bc922b7bd1adb5b6f99592611404036bd9f42d0
│ │ Current version: 2011
│ │ Vendor: Microsoft (UEFI:Microsoft)
│ │ GUIDs: 26f42cba-9bf6-5365-802b-e250eb757e96 ← UEFI\VENDOR_Microsoft&NAME_Microsoft-UEFI-CA
│ │ c34a7e6a-bd86-5244-8bd0-7db66fd3c073 ← UEFI\CRT_E30CF09DABEAB32A6E3B07A7135245DE05FFB658
│ │ Device Flags: • Internal device
│ │ • Updatable
│ │ • Supported on remote server
│ │ • Needs a reboot after installation
│ │ • Signed Payload
│ │ • Can tag for emulation
│ │
│ └─Secure Boot Signature Database Configuration Update:
│ New version: 2023
│ Remote ID: lvfs
│ Release ID: 116503
│ Summary: UEFI Secure Boot Signature Database
│ License: Proprietary
│ Size: 10.0 kB
│ Created: 2025-04-29 00:00:00
│ Urgency: High
│ Tested: 2025-10-17 00:00:00
│ Distribution: fedora 42 (workstation)
│ Old version: 2011
│ Version[fwupd]: 2.0.16
│ Tested: 2025-09-17 00:00:00
│ Distribution: fedora 42 (workstation)
│ Old version: 2011
│ Version[fwupd]: 2.0.16
│ Tested: 2025-07-24 00:00:00
│ Distribution: nixos 25.11
│ Old version: 2011
│ Version[fwupd]: 2.0.12
│ Vendor: Linux Foundation
│ Release Flags: • Trusted metadata
│ • Is upgrade
│ Description:
│ This updates the 3rd Party UEFI Signature Database (the “db”) to the latest release from Microsoft.It also adds the latest OptionROM UEFI Signature Database update.
│ Checksum: 6819c8098f09f4332a102194df6a033563aa288073b16315c5b88860fefb7e74
│
└─UEFI dbx:
│ Device ID: 362301da643102b9f38477387e2193e57abaa590
│ Summary: UEFI revocation database
│ Current version: 20230501
│ Minimum Version: 20230501
│ Vendor: UEFI:Microsoft
│ Install Duration: 1 second
│ GUID: f8ba2887-9411-5c36-9cee-88995bb39731 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503&ARCH_X64
│ Device Flags: • Internal device
│ • Updatable
│ • Supported on remote server
│ • Needs a reboot after installation
│ • Device is usable for the duration of the update
│ • Only version upgrades are allowed
│ • Signed Payload
│ • Can tag for emulation
│
├─Secure Boot dbx Configuration Update:
│ New version: 20250902
│ Remote ID: lvfs
│ Release ID: 130035
│ Summary: UEFI Secure Boot Forbidden Signature Database
│ Variant: x64
│ License: Proprietary
│ Size: 24.1 kB
│ Created: 2025-09-02 00:00:00
│ Urgency: High
│ Tested: 2025-12-15 00:00:00
│ Distribution: ubuntu 25.10
│ Old version: 20230501
│ Version[fwupd]: 2.0.16
│ Tested: 2025-12-05 00:00:00
│ Distribution: fedora 42 (workstation)
│ Old version: 20250507
│ Version[fwupd]: 2.0.17
│ Tested: 2025-11-10 00:00:00
│ Distribution: fedora 43 (kde)
│ Old version: 20230501
│ Version[fwupd]: 2.0.16
│ Vendor: Linux Foundation
│ Duration: 1 second
│ Release Flags: • Trusted metadata
│ • Is upgrade
│ • Tested by trusted vendor
│ Description:
│ This updates the list of forbidden signatures (the “dbx”) to the latest release from Microsoft.
│
│ Some insecure versions of the IGEL bootloader were added, due to a security vulnerability that allowed an attacker to bypass UEFI Secure Boot.
│ Issue: CVE-2025-47827
│ Checksum: 7178302fa23fcb875e7540900e299fb30a76758663efb7e1c56edc25cd3f316a
│
├─Secure Boot dbx Configuration Update:
│ New version: 20250507
│ Remote ID: lvfs
│ Release ID: 115586
│ Summary: UEFI Secure Boot Forbidden Signature Database
│ Variant: x64
│ License: Proprietary
│ Size: 24.0 kB
│ Created: 2025-01-17 00:00:00
│ Urgency: High
│ Tested: 2025-10-17 00:00:00
│ Distribution: fedora 42 (workstation)
│ Old version: 20230501
│ Version[fwupd]: 2.0.16
│ Tested: 2025-06-11 00:00:00
│ Distribution: fedora 42 (workstation)
│ Old version: 20241101
│ Version[fwupd]: 2.0.11
│ Vendor: Linux Foundation
│ Duration: 1 second
│ Release Flags: • Trusted metadata
│ • Is upgrade
│ • Tested by trusted vendor
│ Description:
│ This updates the list of forbidden signatures (the “dbx”) to the latest release from Microsoft.
│
│ Some insecure versions of BiosFlashShell and Dtbios by DT Research Inc were added, due to a security vulnerability that allowed an attacker to bypass UEFI Secure Boot.
│ Issues: 806555
│ CVE-2025-3052
│ Checksum: 40d3a4630619b83026f66bc64d97a582bbd9223ad53aa3f519ff5e2121d11ca6
│
└─Secure Boot dbx Configuration Update:
New version: 20241101
Remote ID: lvfs
Release ID: 105821
Summary: UEFI Secure Boot Forbidden Signature Database
Variant: x64
License: Proprietary
Size: 15.1 kB
Created: 2025-01-17 00:00:00
Urgency: High
Tested: 2025-10-31 00:00:00
Distribution: ubuntu 24.04
Old version: 20230501
Version[fwupd]: 1.9.28
Vendor: Linux Foundation
Duration: 1 second
Release Flags: • Trusted metadata
• Is upgrade
Description:
This updates the list of forbidden signatures (the “dbx”) to the latest release from Microsoft.
An insecure version of Howyar's SysReturn software was added, due to a security vulnerability that allowed an attacker to bypass UEFI Secure Boot.
Issues: 529659
CVE-2024-7344
Checksum: 093e6913dfecefbdaa9374a2e1caee7bf7e74c7eda847624e456e344884ba5f6
`
Thank you.
