The Microsoft Secure Boot certificates, originally issues in 2011, begin expiring in June 2026. Modern systems will receive the new CAs through firmware updates, but older systems, like my Lenovo M700 Tiny computers, may not be updated by the manufacturer.
To maintain security, I need to manually import the new Microsoft Secure Boot certificates. Microsoft publishes the key databases on their official GitHub repository: github.com/microsoft/secureboot_objects
efitools#
To manipulate EFI variables on Linux, we can use the efitools package, which provides utilities like efi-updatevar and efi-readvar.
Unfortunately, the efitools package is not available in the default Rocky Linux repositories.
Through pkgs.org, I found a compatible version of efitools for AlmaLinux 9, which should work on Rocky Linux 9 as well.
sudo dnf install https://repo.almalinux.org/almalinux/9/devel/x86_64/os/Packages/efitools-1.9.2-9.el9.x86_64.rpmUpdating the Secure Boot Key Database#
# Download the latest Microsoft Secure Boot key database
curl -LO https://github.com/microsoft/secureboot_objects/raw/main/PostSignedObjects/Optional/DB/amd64/DBUpdate3P2023.bin
# Remove the immutable attribute to allow modification of the db variable
sudo chattr -i /sys/firmware/efi/efivars/db-*
# Update the db variable with the new keys from the downloaded file
sudo efi-updatevar -a -f DBUpdate3P2023.bin db
# Restore the immutable attribute
sudo chattr +i /sys/firmware/efi/efivars/db-*
# Verify that the new keys have been applied
sudo efi-readvar -v db