Update templates

.github/workflows/prepare-binaries.yml

@@ -59,7 +59,7 @@ jobs:
       run: python scripts/secure_boot_default_keys.py --keystore Templates/MicrosoftAndOptionRoms.toml -o FirmwareArtifacts
 
     - name: Build Compatible Defaults Template (2023 MSFT + 2023 3P + 2023 OROM)
-      run: python scripts/secure_boot_default_keys.py --keystore Templates/3rdPartyCompat.toml -o FirmwareArtifacts
+      run: python scripts/secure_boot_default_keys.py --keystore Templates/MicrosoftAndThirdParty.toml -o FirmwareArtifacts
 
     - name: Upload Firmware Binaries as Artifacts
       uses: actions/upload-artifact@v4

Templates/MicrosoftAndOptionRoms.toml

@@ -1,8 +1,8 @@
 # @file
 # Template Name: Secure Desktop – Microsoft Only
 # Description:
-#  This template is for systems that need to support only Windows signed by the 2023 Windows UEFI Certificate Authority.
-#  For Windows only systems, this is the most secure template.
+#  [#!IMPORTANT] This template is not yet recommended for production systems. While this would be more secure than including the UEFI CA,
+#  currently, the Option ROM CA (e.g. Graphics cards) has not saturated the ecosystem enough to be recommended for production systems.
 #
 # Copyright (C) Microsoft Corporation
 # SPDX-License-Identifier: BSD-2-Clause-Patent
@@ -12,10 +12,10 @@
 # Default PK File Entry #
 ################################
 
-[DefaultPk]
+[PK]
 help = "Contains the Microsoft PK to enable signature database updates and binary execution."
 
-[[DefaultPk.files]]
+[[PK.files]]
 path = "PreSignedObjects/PK/Certificate/WindowsOEMDevicesPK.der"
 sha1 = 0x3D8660C0CB2D57B189C3D7995572A552F75E48B5
 signature_owner = "77fa9abd-0359-4d32-bd60-28f4e78f784b"
@@ -24,10 +24,10 @@ description = "Platform Key (owner) who may authorize changes to the KEK Variabl
 ###################################
 # Default Kek File Entries #
 ###################################
-[DefaultKek]
+[KEK]
 help = "Contains the Microsoft KEKs to enable signature database updates and binary execution."
 
-[[DefaultKek.files]]
+[[KEK.files]]
 path = "PreSignedObjects/KEK/Certificates/microsoft corporation kek 2k ca 2023.der"
 url = "https://go.microsoft.com/fwlink/?linkid=2239775"
 sha1 = 0x459ab6fb5e284d272d5e3e6abc8ed663829d632b
@@ -37,17 +37,17 @@ description = "2023+ Microsoft Authorizes Signature Database Updates"
 ##################################
 # Default Db File Entries #
 ##################################
-[DefaultDb]
+[DB]
 help = "Contains only Microsoft certificates to verify binaries before execution. More than Default3PDb."
 
-[[DefaultDb.files]]
+[[DB.files]]
 path = "PreSignedObjects/DB/Certificates/windows uefi ca 2023.der"
 url = "https://go.microsoft.com/fwlink/?linkid=2239776"
 sha1 = 0x45a0fa32604773c82433c3b7d59e7466b3ac0c67
 signature_owner = "77fa9abd-0359-4d32-bd60-28f4e78f784b"
 description = "2023+ signed Windows Boot Media (e.g. 2023 signed Windows)"
 
-[[DefaultDb.files]]
+[[DB.files]]
 path = "PreSignedObjects/DB/Certificates/microsoft option rom uefi ca 2023.der"
 url = "http://www.microsoft.com/pkiops/certs/microsoft%20option%20rom%20uefi%20ca%202023.crt"
 sha1 = 0x3FB39E2B8BD183BF9E4594E72183CA60AFCD4277
@@ -57,10 +57,10 @@ description = "2023+ signed UEFI Third-Party Option ROMs (e.g. Graphics/Storage/
 ############################
 # Default Dbx File Entries #
 ############################
-[DefaultDbx]
+[DBX]
 help = "Contains a list of revoked certificates that will not execute on this system. Filtered per Architecture (ARM, Intel)."
 
-[[DefaultDbx.files]]
+[[DBX.files]]
 #
 # New recommendation is to allow the OS to manage the dbx and not ship a DefaultDbx with the firmware.
 # A valid configuration is to ship an unset DBX variable.

Templates/3rdPartyCompat.toml → Templates/MicrosoftAndThirdParty.toml

@@ -10,10 +10,10 @@
 ################################
 # Default PK File Entry        #
 ################################
-[DefaultPk]
+[PK]
 help = "Contains the Microsoft PK to enable signature database updates and binary execution."
 
-[[DefaultPk.files]]
+[[PK.files]]
 path = "PreSignedObjects/PK/Certificate/WindowsOEMDevicesPK.der"
 sha1 = 0x3D8660C0CB2D57B189C3D7995572A552F75E48B5
 signature_owner = "77fa9abd-0359-4d32-bd60-28f4e78f784b"
@@ -22,10 +22,10 @@ description = "Platform Key (owner) who may authorize changes to the KEK Variabl
 ###################################
 # Default Kek File Entries        #
 ###################################
-[DefaultKek]
+[KEK]
 help = "Contains the Microsoft KEKs to enable signature database updates and binary execution."
 
-[[DefaultKek.files]]
+[[KEK.files]]
 path = "PreSignedObjects/KEK/Certificates/microsoft corporation kek 2k ca 2023.der"
 url = "https://go.microsoft.com/fwlink/?linkid=2239775"
 sha1 = 0x459ab6fb5e284d272d5e3e6abc8ed663829d632b
@@ -35,31 +35,31 @@ description = "2023+ Microsoft Authorizes Signature Database Updates"
 ##################################
 # Default Db File Entries        #
 ##################################
-[DefaultDb]
+[DB]
 help = "Contains 2023 Microsoft and UEFI third party certificates to verify binaries before execution. More compatible than MicrosoftOnlyDefaults."
 
-[[DefaultDb.files]]
+[[DB.files]]
 path = "PreSignedObjects/DB/Certificates/windows uefi ca 2023.der"
 url = "https://go.microsoft.com/fwlink/?linkid=2239776"
 sha1 = 0x45a0fa32604773c82433c3b7d59e7466b3ac0c67
 signature_owner = "77fa9abd-0359-4d32-bd60-28f4e78f784b"
 description = "2023+ signed Windows Boot Media (e.g. 2023 signed Windows)"
 
-[[DefaultDb.files]]
+[[DB.files]]
 path = "PreSignedObjects/DB/Certificates/microsoft uefi ca 2023.der"
 url = "https://go.microsoft.com/fwlink/?linkid=2239872"
 sha1 = 0xb5eeb4a6706048073f0ed296e7f580a790b59eaa
 signature_owner = "77fa9abd-0359-4d32-bd60-28f4e78f784b"
 description = "2023+ signed Third-Party UEFI CA Signed Applications (e.g. 2023 signed Linux)"
 
-[[DefaultDb.files]]
+[[DB.files]]
 path = "PreSignedObjects/DB/Certificates/microsoft option rom uefi ca 2023.der"
 url = "http://www.microsoft.com/pkiops/certs/microsoft%20option%20rom%20uefi%20ca%202023.crt"
 sha1 = 0x3FB39E2B8BD183BF9E4594E72183CA60AFCD4277
 signature_owner = "77fa9abd-0359-4d32-bd60-28f4e78f784b"
 description = "2023+ signed UEFI Third-Party Option ROMs (e.g. Graphics/Storage/Networking Drivers)"
 
-[[DefaultDb.files]]
+[[DB.files]]
 path = "PreSignedObjects/DB/Certificates/MicCorUEFCA2011_2011-06-27.der"
 url = "https://go.microsoft.com/fwlink/p/?linkid=321194"
 sha1 = 0x46def63b5ce61cf8ba0de2e6639c1019d0ed14f3
@@ -69,10 +69,10 @@ description = "2011 signed UEFI Applications and Third-Party Option ROMs (e.g. 2
 ############################
 # Default Dbx File Entries #
 ############################
-[DefaultDbx]
+[DBX]
 help = "Contains a list of revoked certificates that will not execute on this system. Filtered per Architecture (ARM, Intel)."
 
-[[DefaultDbx.files]]
+[[DBX.files]]
 #
 # New recommendation is to allow the OS to manage the dbx and not ship a DefaultDbx with the firmware.
 # A valid configuration is to ship an unset DBX variable.

Templates/MostCompatible.toml

@@ -0,0 +1,92 @@
+# @file
+# Template Name: Most Compatible – Microsoft and 3rd Party
+# Description:
+#  This template is the most compatible template however it is the least secure. This template will allow for anything
+#  signed by the 2011 CAs or the 2023 CAs to execute. This template is not recommended for
+#  secure systems however will allow for Windows and Linux to boot with secure boot enabled.
+#
+# Copyright (C) Microsoft Corporation
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+#
+##
+################################
+# Default PK File Entry        #
+################################
+[PK]
+help = "Contains the Microsoft PK to enable signature database updates and binary execution."
+
+[[PK.files]]
+path = "PreSignedObjects/PK/Certificate/WindowsOEMDevicesPK.der"
+sha1 = 0x3D8660C0CB2D57B189C3D7995572A552F75E48B5
+signature_owner = "77fa9abd-0359-4d32-bd60-28f4e78f784b"
+description = "Platform Key (owner) who may authorize changes to the KEK Variable"
+
+###################################
+# Default Kek File Entries        #
+###################################
+[KEK]
+help = "Contains the Microsoft KEKs to enable signature database updates and binary execution."
+
+[[KEK.files]]
+path = "PreSignedObjects/KEK/Certificates/microsoft corporation kek 2k ca 2023.der"
+url = "https://go.microsoft.com/fwlink/?linkid=2239775"
+sha1 = 0x459ab6fb5e284d272d5e3e6abc8ed663829d632b
+signature_owner = "77fa9abd-0359-4d32-bd60-28f4e78f784b"
+description = "2023+ Microsoft Authorizes Signature Database Updates"
+
+##################################
+# Default Db File Entries        #
+##################################
+[DB]
+help = "Contains 2023 Microsoft and UEFI third party certificates to verify binaries before execution. Most Compatible."
+
+[[DB.files]]
+path = "PreSignedObjects/DB/Certificates/windows uefi ca 2023.der"
+url = "https://go.microsoft.com/fwlink/?linkid=2239776"
+sha1 = 0x45a0fa32604773c82433c3b7d59e7466b3ac0c67
+signature_owner = "77fa9abd-0359-4d32-bd60-28f4e78f784b"
+description = "2023+ signed Windows Boot Media (e.g. 2023 signed Windows)"
+
+[[DB.files]]
+path = "PreSignedObjects/DB/Certificates/microsoft uefi ca 2023.der"
+url = "https://go.microsoft.com/fwlink/?linkid=2239872"
+sha1 = 0xb5eeb4a6706048073f0ed296e7f580a790b59eaa
+signature_owner = "77fa9abd-0359-4d32-bd60-28f4e78f784b"
+description = "2023+ signed Third-Party UEFI CA Signed Applications (e.g. 2023 signed Linux)"
+
+[[DB.files]]
+path = "PreSignedObjects/DB/Certificates/microsoft option rom uefi ca 2023.der"
+url = "http://www.microsoft.com/pkiops/certs/microsoft%20option%20rom%20uefi%20ca%202023.crt"
+sha1 = 0x3FB39E2B8BD183BF9E4594E72183CA60AFCD4277
+signature_owner = "77fa9abd-0359-4d32-bd60-28f4e78f784b"
+description = "2023+ signed UEFI Third-Party Option ROMs (e.g. Graphics/Storage/Networking Drivers)"
+
+[[DB.files]]
+path = "PreSignedObjects/DB/Certificates/MicWinProPCA2011_2011-10-19.der"
+url = "https://go.microsoft.com/fwlink/p/?linkid=321192"
+sha1 = 0x580a6f4cc4e4b669b9ebdc1b2b3e087b80d0678d
+signature_owner = "77fa9abd-0359-4d32-bd60-28f4e78f784b"
+description = "2011 signed Windows Boot Media (e.g. 2011 signed Windows)"
+
+[[DB.files]]
+path = "PreSignedObjects/DB/Certificates/MicCorUEFCA2011_2011-06-27.der"
+url = "https://go.microsoft.com/fwlink/p/?linkid=321194"
+sha1 = 0x46def63b5ce61cf8ba0de2e6639c1019d0ed14f3
+signature_owner = "77fa9abd-0359-4d32-bd60-28f4e78f784b"
+description = "2011 signed Third-Party UEFI Applications and Third-Party Option ROMs (e.g. 2011+ Linux and Graphics/Storage/Networking Drivers)"
+
+############################
+# Default Dbx File Entries #
+############################
+[DBX]
+help = "Contains a list of revoked certificates that will not execute on this system. Filtered per Architecture (ARM, Intel)."
+
+[[DBX.files]]
+#
+# New recommendation is to allow the OS to manage the dbx and not ship a DefaultDbx with the firmware.
+# A valid configuration is to ship an unset DBX variable.
+#
+path = "PreSignedObjects/DBX/dbx.empty"
+sha1 = 0xF8D326CCD9233747A29E2F67AFEB77C25787BD39
+signature_owner = "77fa9abd-0359-4d32-bd60-28f4e78f784b"
+description =  "Special file to create an empty signature database."

scripts/windows/InstallSecureBootKeys.ps1

@@ -13,7 +13,7 @@ A path to the directory containing the pre-signed Secure Boot objects.
 .NOTES
 Author: Microsoft
 Date: 4/2/25
-Version: 1
+Version: 1.1
 #>
 
 param(
@@ -57,7 +57,7 @@ try {
     Log-Message "Enrolling certificates for Secure Boot..." "Green"
 
     # Validate the presence of required pre-signed objects
-    $RequiredFiles = @("DefaultPk.bin", "DefaultKek.bin", "DefaultDb.bin", "DefaultDbx.bin")
+    $RequiredFiles = @("PK.bin", "KEK.bin", "DB.bin", "DBX.bin")
     foreach ($RequiredFile in $RequiredFiles) {
         $FilePath = Join-Path -Path $PresignedObjectsPath -ChildPath $RequiredFile
         if (-not (Test-Path -Path $FilePath)) {
@@ -68,15 +68,15 @@ try {
     }
 
     # Validate the size of the DBX file (minimum 28 bytes - EFI_SIGNATURE_LIST minimum size assuming 0 entries)
-    $DbxFilePath = Join-Path -Path $PresignedObjectsPath -ChildPath "DefaultDbx.bin"
+    $DbxFilePath = Join-Path -Path $PresignedObjectsPath -ChildPath "DBX.bin"
     Validate-FileSize -FilePath $DbxFilePath -MinSizeBytes 28
 
     # Timestamp for Secure Boot enrollment
     $time = "2015-08-28T00:00:00Z"
 
     # Enroll certificates in reverse order
     Log-Message "Enrolling DB..." "Green"
-    $Result = Set-SecureBootUEFI -Time $time -ContentFilePath (Join-Path $PresignedObjectsPath "DefaultDb.bin") -Name db
+    $Result = Set-SecureBootUEFI -Time $time -ContentFilePath (Join-Path $PresignedObjectsPath "DB.bin") -Name db
     if ($null -ne $Result) {
         Log-Message "DB enrolled successfully." "Green"
     } else {
@@ -94,7 +94,7 @@ try {
     }
 
     Log-Message "Enrolling KEK..." "Green"
-    $Result = Set-SecureBootUEFI -Time $time -ContentFilePath (Join-Path $PresignedObjectsPath "DefaultKek.bin") -Name KEK
+    $Result = Set-SecureBootUEFI -Time $time -ContentFilePath (Join-Path $PresignedObjectsPath "KEK.bin") -Name KEK
     if ($null -ne $Result) {
         Log-Message "KEK enrolled successfully." "Green"
     } else {
@@ -103,7 +103,7 @@ try {
     }
 
     Log-Message "Enrolling PK..." "Green"
-    $PkFilePath = Join-Path -Path $PresignedObjectsPath -ChildPath "DefaultPk.bin"
+    $PkFilePath = Join-Path -Path $PresignedObjectsPath -ChildPath "PK.bin"
     $Result = $null
     if (-not [string]::IsNullOrEmpty($PathToPkP7b)) {
         $Result = Set-SecureBootUEFI -Time $time -ContentFilePath $PkFilePath -Name PK -SignedFilePath $PathToPkP7b