Secure Boot Recovery¶
The Microsoft 2011 Secure Boot Certificates used to boot Windows OS and Third Party applications, drivers, option roms, through Secure Boot are expiring on 10/19/2026. New certificates have been created and are available at Keys Required for Secure Boot on all PCs | Learn Microsoft..
This EFI application is used to transition a system from the 2011 certificates to the 2023 certificates.
Files¶
- SecureBootRecovery.c
- Recovery Logic
- SecureBootRecovery.inf
- Setup Information
- Payload/dbUpdate.bin
- Raw Recovery Payload - This file is an authenticated variable with a payload to update the DB
- Attributes:
- NON_VOLATILE | BOOTSERVICE_ACCESS | RUNTIME_ACCESS | TIME_BASED_AUTHENTICATED_WRITE_ACCESS | APPEND_WRITE
- Note: The signer must have it's public certificate found in the L"KEK" variable
- Note: The payload found in this repo is the Microsoft Windows Production PCA 2011 signed Windows UEFI CA 2023 DB payload
- RecoveryPayload.h
- The C representation of the dbUpdate.bin file auto generated by Helper.py
- Helper.py
- Generates RecoveryPayload.h from Payload/dbUpdate.bin
Build¶
stuart_ci_setup -c .pytool/CISettings.py BUILDMODULE=MsApplicationPkg/SecureBootRecovery/SecureBootRecovery.inf -p MsApplicationPkg
stuart_update -c .pytool/CISettings.py BUILDMODULE=MsApplicationPkg/SecureBootRecovery/SecureBootRecovery.inf -p MsApplicationPkg
stuart_ci_build -c .pytool/CISettings.py BUILDMODULE=MsApplicationPkg/SecureBootRecovery/SecureBootRecovery.inf -p MsApplicationPkg
Update the payload¶
If the recovery payload needs to be updated, replace the file Payload/dbUpdate.bin with a KEK signed payload.
Then execute:
python helper.py