Mosby tells you explicitly that you should keep and copy the MosbyKey files if you want to use the same credentials to sign bootloaders for other machines. So, if you recreate a new Mosby drive, and want your existing signed bootloaders, or sign new ones that work on machines were you already ran Mosby, you should copy the .crt there (only the .crt is actually needed. The .pem and .pfx are used for the actual process of signing the files, but not for the installation of the cert in the DB).
Once you know that
SVN stands for
Secure Version Number, your screenshot gives you the answer to that.
Code:
Installing DBX: 'Microsoft's 'Secure Version Number' DBX entries [2025.01]'
Mosby always install the most recent elements related to Secure Boot, as they were defined at the time Mosby was compiled. That includes the SVN (and as an asside, that includes SBAT too). Note however that there has been SVN updates since 2025.01, but, if you run Windows of you have a Linux system that takes security seriously and applies DBX updates as they appear, the OS will take care of updating the SVN for you, as SVN is part of regular DBX updates (except Microsoft is once again treating security for people who don't use Windows as a joke, which means that they did
not push the public DBX SVN update to their
secureboot_ojbjects repo as they should have done the minute they pushed that update in Windows, and I had to, yet again,
report that they are doing a lousy job with that (which they still haven't fixed even though I opened that issue 3 weeks ago).
Currently, the SVN installed by Mosby would be
3.0.
The SVN that
should be updated by Linux and third party OSes that are Secure Boot aware, and that rely on the Secure Boot objects published by Microsoft would be
5.0.
And the SVN that gets updated by Windows 11is currently
7.0.
But again, if you have a competent OS, it shouldn't matter that the SVN installed by Mosby is a little behind, as the OS should detect and fix that automatically (since it's a run of the mill standard DBX updates, that modern OSes perform for you all the time... provided Microsoft does publish up to date DBX signed packages, which they currently don't).
Oh, and I thought it would become clear at this point that the 2023 certs that get installed as part as running Mobsy are to handle the new 2023 boot managers...
Thanks for the detailed answer like usual. The reason I was asking is because before even using Mosby, I tried the method from Microsoft so step 1 was the Windows 2023 UEFI Certificate which obviously is gone when the keys were deleted to get into Setup Mode for Mosby.
Step 2 was updating the Boot Manager that is signed with Windows UEFI 2023 CA except in my case, my \EFI\Microsoft\Boot\bootmgfw.efi appears to have the same August 27, 2025 date/timestamp and size as the one from C:\Windows\System32\SecureBootFiles since I am using Windows Beta Insiders Builds and Mosby was last updated in June 2025 so there would be no way the ISO could contain files dated in August 27, 2025 that are signed with a July 25, 2025 signature. So at least in my case, Mosby did not install the boot manager. I did a in-place repair upgrade install after building the latest Beta 26120.6690 ISO and also did step 2 again but the source files are now dated September 27, 2025 but the \EFI\Microsoft\Boot\bootmgfw.efi never changed and still had the August 27, 2025 probably because it was the exact same version.
Yes, lots of acronyms to learn as I just learned what SBAT meant yesterday.
Step 3 is basically adding PCA 2011 to the DBX which is what Mosby -x does.
So then there is Step 4 which says:
"
Apply the SVN update to the firmware.
The Boot Manager deployed in Step 2 has a new self-revocation feature built-in. When the Boot Manager starts to run, it performs a self-check by comparing the Secure Version Number (SVN) that is stored in the firmware, with the SVN built into the Boot Manager. If the Boot Manager SVN is lower than the SVN stored in the firmware, the Boot Manager will refuse to run. This feature prevents an attacker from rolling back the Boot Manager to an older, non-updated version.
In future updates, when a significant security issue is fixed in the Boot Manager, the SVN number will be incremented in both the Boot Manager and the update to the firmware. Both updates will be released in the same cumulative update to make sure that patched devices are protected. Each time the SVN is updated, any bootable media will need to be updated.
Starting with the July 9, 2024, updates, the SVN is being incremented in the Boot Manager and the update to the firmware. The firmware update is optional and can be applied by following this step:
Apply the SVN update to the firmware. To do this, open a Command Prompt window as an Administrator, type each of the following commands separately, and then press Enter:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x200 /f
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
so it seems Microsoft is saying this is supposed to some kind of SVN update and not just SVN number itself unless they didn't work things correctly since Microsoft's instructions are flawed as while the reg add will work in a Command Prompt, the Start-Scheduled Task does not and will only work in PowerShell. So at least it seems that if what Microsoft said is correct, the Mosby SVN 3.0 because I did step 4 manually would cause a failure since it would be expecting 7.0. From what #4 says, it seems like with SecureBoot enabled, the boot_x64.efi will need to get updated on all media everytime the SVN gets updated.
Microsoft instructions mentions that the systems needs to be July 8, 2025 or later which would be a month after Mosby or UEFI Shell had already been released and since Mosby does not use the internet when it works, it won't be pulling anything after that version of Mosby/UEFI Shell was released either.
What Microsoft never said was if the boot manager and SVN both will automatically get updated in the EFI partition or does one have to do those two steps manually. So even if Mosby was not the most up to date for Step 2 and 4, it's really something that takes less than a minute of copy and pasting to get done manually.
