bootable distro and secure boot query

perfection · Oct 30, 2025

So UEFI KEK Certs validate UEFI DB Certs - is that right?

are both coded into the bios chip or do the latter reside in the EFI partition?

garlin · Oct 30, 2025

There's a cert trust hierarchy that goes:
1. Vendor installs the Platform Key first.

2. KEK CA 2011 or 2023 is validated by the PK. The vendor can provide a KEK (supplied by MS) which they've signed using their PK. Or you can submit a KEK .der file to the UEFI console, and have it submitted (trusted) against the UEFI's current PK.

3. Various DB and DBX certs are validated by the KEK.

The BIOS firmware has a set of factory default certs that are hard-coded. But the UEFI has a dynamic NVRAM storage of the current values. When you reset to factory defaults, it drops to the bare minimum keys in order to boot a legacy CA 2011 system. Adding UEFI certs updates the dynamic variable memory, which is unchanged, until it gets updated again or reset to factory defaults.

This is why an updated BIOS is important, it provides the lowest level of fallback. Not having the CA 2023 certs in the factory image means if you ever reset the UEFI variables, you have to repeat the cert import process to re-populate the missing certs.

perfection · Oct 30, 2025

Garlin ; You earlier advised


reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x40 /f<br>powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"<br><br>copy C:\Windows\Boot\EFI_EX\bootmgfw_EX.efi E:\EFI\boot\bootx64.efi

What exactly will the above do?

followed by

copy C:\Windows\Boot\EFI_EX\bootmgfw_EX.efi E:\EFI\boot\bootx64.efi

How will m secure boot (of my older laptop (now both are older)) trust CA 2023 if it is not 'keyed' to do so ? How will the reg entry help as the registry kicks in only after the boot?

Should i rum in admin cmd or admin terminal ? Confirming to understand what i could land up doing one day and the consequences f any

garlin · Oct 30, 2025

You don't sound like you're ready to proceed. Which is fine, no required changes to Secure Boot will be made to either PC until early next year.

You can boot Macrium (which is your current goal) on both systems by copying the the non-EX boot file to the USB drive.

jimbo45 · Oct 30, 2025

I've disabled secure boot and all the other rubbish regarding certificates etc. Once Ms starts enforcing this rubbish on people then I'm only going to use older versions of Windows on a VM. There's really ZERO necessity for domestic (i.e non business but just private individual) computers to have ANY of this rubbish. Modern day hackers aren't out to pilfer €5.00 from Grandma's bank account -- they are interested in saviging national / international infrastructure etc. Scamming and identity theft are the main problems for domestic users.

Besides I like to try all sorts of different OS'es-- and many on this Forum do too. I really wonder what's the point of some of this stuff other than it just I suppose keeps people in jobs.

How many people seriously even on this Forum have EVER had a serious Virus on their PC - and probably those that have got it from downloading from "dubious sites", opening email attachments from unknown sources, accepting "special offers" when downloading free software, or just giving out too much info on social media. They certainly didn't get it from hackers getting at boot sectors or that stupid TPM thing.

Cheers
jimbo

Buddywh · Oct 30, 2025

XxXxX said:
don't think that this is going to end well for many many users with personal computers

I'm pretty certain most people who have a problem will get the simple instructions to disable secure boot or put it in CSM mode in BIOS and just keep on going.

But the thing is, so many people have motherboard BIOS's that have secure boot disabled as defaults in BIOS anyway and they never enabled it. For them, this never will be a problem.

Buddywh · Oct 30, 2025

jimbo45 said:
How many people seriously even on this Forum have EVER had a serious Virus on their PC -

I have... they weren't viruses but "root kits". And several of them, actually, I got back in the days of Windows XP and Windows 7. That was before UEFI and Secure Boot made it nigh on impossible to plant them by a simple trojan.

They weren't the end of the world, but a major annoyance to clear out and repair the boot sector so I could boot into the OS and back to having fun. And that's the point, it (my computer) was for having fun browsing the craziness of the internet and playing games, along with other things. So why can't I do the dumb things too, without risking 12 hours of my life to re-install Windows, programs, all the games and restore backed up user files?

Once I got into Win10 on a machine with a UEFI BIOS and enabled secure boot that all stopped. I find it very hard to believe it was all of a sudden the trojans that typically planted the root kits and scam links that delivered the trojans, were all cleaned up.

Also, I do keep in mind Secure Boot/TPM/BitLocker offers little to no protection against virus's that threaten the OS directly. For that I need keep up on Security Updates and Defender definitions up to date.

HarleyQuinn · Oct 30, 2025

jimbo45 said:
I've disabled secure boot and all the other rubbish regarding certificates etc. Once Ms starts enforcing this rubbish on people then I'm only going to use older versions of Windows on a VM. There's really ZERO necessity for domestic (i.e non business but just private individual) computers to have ANY of this rubbish. Modern day hackers aren't out to pilfer €5.00 from Grandma's bank account -- they are interested in saviging national / international infrastructure etc. Scamming and identity theft are the main problems for domestic users.

Besides I like to try all sorts of different OS'es-- and many on this Forum do too. I really wonder what's the point of some of this stuff other than it just I suppose keeps people in jobs.

How many people seriously even on this Forum have EVER had a serious Virus on their PC - and probably those that have got it from downloading from "dubious sites", opening email attachments from unknown sources, accepting "special offers" when downloading free software, or just giving out too much info on social media. They certainly didn't get it from hackers getting at boot sectors or that stupid TPM thing.

Cheers
jimbo

people act like they will face some kinda evil attack or something.

garlin · Oct 31, 2025

The revised "all-in-one" instructions for enterprise customers is to update the UEFI certs in one pass.
Secure Boot Certificate updates: Guidance for IT professionals and organizations

Code:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

But it works the same for all Windows editions.

bootable distro and secure boot query

Well-known member

My Computer My Computer

At a glance

Well-known member

My Computer My Computer

At a glance

Well-known member

My Computer My Computer

At a glance

Well-known member

My Computer My Computer

At a glance

Well-known member

My Computer My Computer

At a glance

Well-known member

My Computers My Computers

At a glance

At a glance

Well-known member

My Computers My Computers

At a glance

At a glance

Well-known member

My Computers My Computers

At a glance

At a glance

Well-known member

My Computer My Computer

At a glance

Similar threads

My Computer

My Computer

My Computer

My Computer

My Computer

My Computers

My Computers

My Computers

My Computer