Why back to CSM after all the trouble to update Secure Boot CAs?
Is that since that other OS can't start with secure boot enabled?
It doesn't ask. I could try changing the extension to cer and see what happens. Be back shortly... hopefully.
mmm.... what happened to the 2011 KEK?
It's apparently not needed by any hardware I'm running.
Yeah... you're fully transitioned to the 2023 keys (running on 2023 Boot Manager even) so it probably won't matter. It's just weird to see the 2001 keys in DB and no 2011 KEK... kind of like seeing 2023 DB keys and no 2023 KEK. Only not really since there's no potential for long-term issues.It's apparently not needed by any hardware I'm running.
I did't append a key. I added the new key which deletes the default key. I can revert if I need to by installing the default keys if needed.
Yup, no matter what method I tried, append, would result in a fail. I took a calculated risk, because I was already booting from the 2023 boot manager, that the risk was mimimal and reverting was trivial. Lucky me I guess.
That's probably a key point. If I wasn't already booting from a 2023 boot manager, I wouldn't have attempted it. Anyway, it's a fairly easy method to update on boards similar to my X99 with an AMI BIOS. I believe as long as they get to the state where they are booting from the 2023 boot manager, it should be safe to update the KEK in this manner as a last resort if they cannot get it to update otherwise. As was mentioned, needing to boot from media that isn't signed might be an issue. I didn't test out whether using a different file extension other than .crt would work. Don't look a gift horse in the mouth.
A .crt and a .def file are completely different things and just changing the suffix won't change that. If what you have is a .cer changing it to .crt might have made the difference.Yup, no matter what method I tried, append, would result in a fail. I took a calculated risk, because I was already booting from the 2023 boot manager, that the risk was mimimal and reverting was trivial. Lucky me I guess.
That's probably a key point. If I wasn't already booting from a 2023 boot manager, I wouldn't have attempted it. Anyway, it's a fairly easy method to update on boards similar to my X99 with an AMI BIOS. I believe as long as they get to the state where they are booting from the 2023 boot manager, it should be safe to update the KEK in this manner as a last resort if they cannot get it to update otherwise. As was mentioned, needing to boot from media that isn't signed might be an issue. I didn't test out whether using a different file extension other than .crt would work. Don't look a gift horse in the mouth.
What I downloaded from github was the official microsoft corporation kek 2k ca 2023.der. Stuck it on a FAT32 thumb drive... I'm not sure where you got 'def' from. I changed the extension to .crt while initially experimenting with trying to update the KEK key. It may have also worked not changing the extension from der. I didn't experiment once I was sucessful inserting the 2023 KEK key. What I know would not work is any version of KEK key install with the default 2011 KEK keys installed.
From my fat fingers :) My understanding is a .der and a .cer/.crt can use different encodings so if a .der is rejected it seems unlikely to be any more useful to the firmware with just a suffix change if the file type (encoding) was the reason for rejection.
I obtained the signed official Microsoft cert from github as I posted. As I indicated it did not matter what method I used, I could not append or insert a new KEK key with the old key in place. It would fail regardless of which cert type was used. Der, cer or crt. Just for the sake of experimentation the same cert file will install whether it has the extension of .der or .crt. I don't believe my relatively standard AMI UEFI BIOS has any unique feature that self-signs a KEK. You seem to be over thinking this a bit.
Or under-thinking it in the area that might matter more if I only realized it. It's a pretty darn complicated interaction of things that go to make this all work, with unclear explanations and as often as not innacuracies wherever I turn.
What also makes it difficult is everyone's device may be different that the procedures, methods and solutions discussed may not apply. It can lead to confusion and frustration.
Exactly right! That's when being aware of possible outcomes for given actions can be especially helpful.
