How to use fwupd to enroll the Microsoft UEFI CA 2023 certificate
Environment
- Red Hat Enterprise Linux (RHEL)
- 9.8
- 10.2
SecureBoot enabledfwupd >= 2.0.8
Issue
- Requirement to enroll new certificate alongside existing ones for
secure bootoperations - Needed for
shimupdate signed with new Microsoft UEFI CA 2023 certificate - Offline update necessity due to servers' inability to connect to the internet
Resolution
Disclaimer: Links contained herein to an external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.
- Content from fwupd.org is not included.fwupd is a system daemon that connects to Linux Vendor Firmware Service (LVFS) to collect firmware updates hosted by supported OEM vendors for the hardware devices connected to the system.
- The LVFS is a secure web service that allows hardware vendors to upload firmware updates. The metadata and files provided by LVFS are used by all major Linux distributions to provide metadata for clients such as GNOME software and
fwupdmgr. There is also no charge to vendors for LVFS to host or distribute content. - Important: Red Hat is not responsible for the firmware distributed via LVFS.
- This solution focuses on how to find and download cabinet files to use them for offline installation.
- For general information on how to use
fwupdsee: How to update device firmware using fwupd on RHEL system? - To locate the URI of the cabinet file with the Microsoft UEFI CA 2023 certificate it's required to use a system of the same architecture and type that has access to the LVFS repository on the internet.
- For example, to enroll the new certificate on virtual machines (VM) a VM from the same platform is required. It's not possible to use a bare metal host instead, as the cabinet files are different and cannot be installed to a VM.
- The following code block shows how to use
fwupdmgrto list available firmware updates.- Note that
fwupdrefers to the UEFIdbas a device. - The following examples use a VMware vSphere VM version 19.
- The output of the
fwupdmgr get-updates --jsoncommand has been truncated showing only the relevant deviceUEFI CA. - The key
Locationsshows the URI where the necessary cabinet file can be downloaded.
- Note that
[user@localhost ~]$ rpm -q fwupd
fwupd-2.0.19-2.el9_8.x86_64
[user@localhost ~]$ sudo fwupdmgr refresh
No remotes are currently enabled so no metadata is available.
Metadata can be obtained from the Linux Vendor Firmware Service.
Enable this remote? [Y|n]: Y
Decompressing… [***************************************]
Metadata is up to date; use --force to refresh again.
[user@localhost ~]$ fwupdmgr refresh --force
Decompressing… [ - ]
Updating lvfs
Downloading… [***************************************]
Successfully downloaded new metadata:
• 7 devices are updatable
• 2 devices are supported in the enabled remotes (an update has been published)
[user@localhost ~]$ fwupdmgr get-updates --json
{
"Devices" : [
{
"Name" : "UEFI CA",
"DeviceId" : "5bc922b7bd1adb5b6f99592611404036bd9f42d0",
"ParentDeviceId" : "0352a8acc949c7df21fec16e566ba9a74e797a97",
"CompositeId" : "0352a8acc949c7df21fec16e566ba9a74e797a97",
"InstanceIds" : [
"UEFI\\VENDOR_Microsoft&NAME_Microsoft-UEFI-CA",
"UEFI\\CRT_E30CF09DABEAB32A6E3B07A7135245DE05FFB658"
],
"Guid" : [
"26f42cba-9bf6-5365-802b-e250eb757e96",
"c34a7e6a-bd86-5244-8bd0-7db66fd3c073"
],
"Plugin" : "uefi_db",
"Protocols" : [
"org.uefi.dbx2"
],
"Flags" : [
"internal",
"updatable",
"supported",
"needs-reboot",
"signed-payload",
"can-emulation-tag"
],
"Vendor" : "Microsoft",
"VendorIds" : [
"UEFI:Microsoft"
],
"Version" : "2011",
"VersionFormat" : "number",
"VersionRaw" : 2011,
"Icons" : [
"application-certificate"
],
"Created" : 1775657668,
"Releases" : [
{
"AppstreamId" : "com.microsoft.db-uefi-3p.firmware",
"ReleaseId" : "116503",
"RemoteId" : "lvfs",
"Name" : "Secure Boot Signature Database",
"Summary" : "UEFI Secure Boot Signature Database",
"Description" : "<p>This updates the 3rd Party UEFI Signature Database (the "db") to the latest release from Microsoft.It also adds the latest OptionROM UEFI Signature Database update.</p>",
"Version" : "2023",
"Filename" : "DBUpdate-3P2023_OROM2023.cab",
"Protocol" : "org.uefi.dbx2",
"Categories" : [
"X-Configuration",
"X-System"
],
"Checksum" : [
"15f17a21390328a695ad56ff8e2c65c9acbfe77c",
"6819c8098f09f4332a102194df6a033563aa288073b16315c5b88860fefb7e74"
],
"License" : "LicenseRef-proprietary",
"Size" : 10023,
"Created" : 1745884800,
"Locations" : [
"https://fwupd.org/downloads/4bdf420ad7e5ddde89d7a66ffe1b4328927059d56551f03afac855c4ed80f6c3-DBUpdate-3P2023_OROM2023.cab"
],
"Homepage" : "https://fwupd.github.io/libfwupdplugin/uefi-db.html",
"Vendor" : "Linux Foundation",
"Flags" : [
"trusted-metadata",
"is-upgrade"
],
…
]
}
]
},
…
- Download the file from the URI specified in
Locations. Example:
[user@localhost ~]$ curl -L https://fwupd.org/downloads/4bdf420ad7e5ddde89d7a66ffe1b4328927059d56551f03afac855c4ed80f6c3-DBUpdate-3P2023_OROM2023.cab -o DBUpdate-3P2023_OROM2023.cab
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 435 100 435 0 0 1228 0 --:--:-- --:--:-- --:--:-- 1228
100 16238 100 16238 0 0 28142 0 --:--:-- --:--:-- --:--:-- 28142
[user@localhost ~]$ ls -l
total 16
-rw-r--r--. 1 user user 16238 Apr 8 16:36 DBUpdate-3P2023_OROM2023.cab
- Additional information can be reviewed using the command
fwupdmgr get-details DBUpdate-3P2023_OROM2023.cab:
[user@localhost ~]$ fwupdmgr get-details DBUpdate-3P2023_OROM2023.cab
Decompressing… [ - ]
VMware, Inc. VMware7,1
│
└─UEFI CA:
Device ID: 5bc922b7bd1adb5b6f99592611404036bd9f42d0
Current version: 2011
Vendor: Microsoft (UEFI:Microsoft)
GUIDs: 26f42cba-9bf6-5365-802b-e250eb757e96 ← UEFI\VENDOR_Microsoft&NAME_Microsoft-UEFI-CA
c34a7e6a-bd86-5244-8bd0-7db66fd3c073 ← UEFI\CRT_E30CF09DABEAB32A6E3B07A7135245DE05FFB658
Device Flags: • Internal device
• Updatable
• Supported on remote server
• Needs a reboot after installation
• Signed Payload
• Can tag for emulation
-
Distribute the downloaded cabinet file to the systems where they are going to be installed.
-
To install the update use the command
fwupdmgr local-install <filename>. Example:
[user@localhost ~]$ sudo fwupdmgr local-install DBUpdate-3P2023_OROM2023.cab
[sudo] password for user:
Waiting… [***************************************]
Successfully installed firmware
An update requires a reboot to complete. Restart now? [y|N]: y
- To verify that the new certificate was installed run the following command:
[user@loclahost ~]$ mokutil --db | grep "Microsoft UEFI CA 2023"
Subject: C=US, O=Microsoft Corporation, CN=Microsoft UEFI CA 2023
- The option
-ycan be used withfwupdmgrcommands to answer 'yes' to all questions. - The same workflow can be used to download and install other cabinet files available for a specific platform.
Root Cause
Diagnostic Steps
# Example with missing 2023 certificates:
[user@localhost ~]$ mokutil --db | grep Subject:
Subject: C=US, ST=California, L=Palo Alto, O=VMware, Inc.
Subject: C=US, ST=California, L=Palo Alto, O=VMware, Inc., CN=VMware Secure Boot Signing
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011
# Example with 2023 certificates present:
[user@localhost ~]$ mokutil --db | grep Subject:
Subject: C=US, ST=California, L=Palo Alto, O=VMware, Inc.
Subject: C=US, ST=California, L=Palo Alto, O=VMware, Inc., CN=VMware Secure Boot Signing
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011
Subject: C=US, O=Microsoft Corporation, CN=Microsoft UEFI CA 2023
Subject: C=US, O=Microsoft Corporation, CN=Microsoft Option ROM UEFI CA 2023
Product(s)
Category
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.