Hello,
I was poking around a F38 system to look over the Secure Boot certificates and
found something that may warrant attention.
sbattach --detach signature /boot/efi/EFI/BOOT/fbx64.efi
openssl pkcs7 -inform DER -in signature -text -print_certs > grub-certs.txt
Issuer: CN=Fedora Secure Boot CA
Validity
Not Before: Dec 7 16:04:24 2012 GMT
Not After : Dec 5 16:04:24 2022 GMT
Subject: CN=Fedora Secure Boot Signer
Not after Dec 5, 2022 ??? I think this is expired. But also
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
I think we should be on 3072 or higher at this point. But what about the
shim?
sbattach --detach signature /boot/efi/EFI/BOOT/BOOTX64.EFI
openssl pkcs7 -inform DER -in signature -text -print_certs > shim-certs.txt
Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation,
CN=Microsoft Corporation UEFI CA 2011
Validity
Not Before: Sep 9 19:40:20 2021 GMT
Not After : Sep 1 19:40:20 2022 GMT
This is also expired.
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
And also not big enough. This raises a questions. Has Microsoft updated their
certificate? Is it well distributed such that switching to it will not brick
systems? Should Fedora get a new shim for Fedora 39? Can the update move to
3072 to be compliant with CNSA 1.0 requirements? And if so, that also means
moving to SHA-384. Or did I miss some system-upgrade step that updates the
bootloader?
TBH, I am surprised by this finding. But we're all busy and it *is* working.
Best,
-Steve