1) Does the MosbyKey.crt, MosbyKey.pem also need to be copied like for example, if I am using Rufus to create a new UEFI Shell including Mosby on a different flash drive, it seems like MosbyKey.crt, MosbyKey.pem, MosbyKey.pfx are the only files I need to backup and restore to the new USB Flash Drive.
Mosby tells you explicitly that you should keep and copy the MosbyKey files if you want to use the same credentials to sign bootloaders for other machines. So, if you recreate a new Mosby drive, and want your existing signed bootloaders, or sign new ones that work on machines were you already ran Mosby, you should copy the .crt there (only the .crt is actually needed. The .pem and .pfx are used for the actual process of signing the files, but not for the installation of the cert in the DB).
2) Does Mosby actually handle installing/enabling the new boot manager 2023 and also enable the SVN for the boot manager 2023 or do one or both of those still need to be done manually?
Once you know that
SVN stands for
Secure Version Number, your screenshot gives you the answer to that.
Code:
Installing DBX: 'Microsoft's 'Secure Version Number' DBX entries [2025.01]'
Mosby always install the most recent elements related to Secure Boot, as they were defined at the time Mosby was compiled. That includes the SVN (and as an asside, that includes SBAT too). Note however that there has been SVN updates since 2025.01, but, if you run Windows of you have a Linux system that takes security seriously and applies DBX updates as they appear, the OS will take care of updating the SVN for you, as SVN is part of regular DBX updates (except Microsoft is once again treating security for people who don't use Windows as a joke, which means that they did
not push the public DBX SVN update to their
secureboot_ojbjects repo as they should have done the minute they pushed that update in Windows, and I had to, yet again,
report that they are doing a lousy job with that (which they still haven't fixed even though I opened that issue 3 weeks ago).
Currently, the SVN installed by Mosby would be
3.0.
The SVN that
should be updated by Linux and third party OSes that are Secure Boot aware, and that rely on the Secure Boot objects published by Microsoft would be
5.0.
And the SVN that gets updated by Windows 11is currently
7.0.
But again, if you have a competent OS, it shouldn't matter that the SVN installed by Mosby is a little behind, as the OS should detect and fix that automatically (since it's a run of the mill standard DBX updates, that modern OSes perform for you all the time... provided Microsoft does publish up to date DBX signed packages, which they currently don't).
Oh, and I thought it would become clear at this point that the 2023 certs that get installed as part as running Mobsy are to handle the new 2023 boot managers...
