Description

Microsoft is rotating the secure boot signing keys. The KEK update must be signed by the platform key of the hardware vendor. In case of RHEL / Centos Stream / Fedora virtual machines this is "Red Hat Secure Boot (PK/KEK key 1)" aka 'redhatsecurebootkek01' (see https://issues.redhat.com/browse/SIGNSERVER-2145).

For new virtual machines this is not an issue, the efi variable store template includes the 2023 microsoft keys (both KEK and db) since early 2024. For existing virtual machines the variable store will not be updated by the host machine though. It is possible to re-initialize the efi variable store manually (run 'virsh start --reset-nvram $guest' once).

Nevertheless it would be very useful if virtual machines can update the KEK by themself, simliar to physical machines, via fwupd and microsoft update. This requires a KEK update being created, signed with the PK key, and submitted to microsoft.

microsoft documentation on the process:
https://github.com/microsoft/secureboot_objects/wiki/OEM-Certificate-Key-Rolling
[ note: the linux instructions apparently untested, there are some bugs in there ... ]

What SSTs and Layered Product teams should review this?

• bootloader team
• edk2
• fwupd