From 9dc0f22971e8a86a667452b950179fe651b34e81 Mon Sep 17 00:00:00 2001 From: HagiwaraHW Date: Wed, 8 Apr 2026 11:18:43 -0700 Subject: [PATCH 1/2] [Secure Boot KEK Update] JDL PK-Signed KEK Update REF: https://github.com/microsoft/secureboot_objects/pull/384 --- .../KEK/JDL/KEKUpdate_JDL_PK9F9C14B5.bin | Bin 0 -> 2874 bytes PostSignedObjects/KEK/kek_update_map.json | 8 ++++++++ 2 files changed, 8 insertions(+) create mode 100644 PostSignedObjects/KEK/JDL/KEKUpdate_JDL_PK9F9C14B5.bin diff --git a/PostSignedObjects/KEK/JDL/KEKUpdate_JDL_PK9F9C14B5.bin b/PostSignedObjects/KEK/JDL/KEKUpdate_JDL_PK9F9C14B5.bin new file mode 100644 index 0000000000000000000000000000000000000000..6d5fdb98bec80030da9365dafb89a5ad25da683e GIT binary patch literal 2874 zcmcJQ2UHVl7RNJbK&To5_-FwEkwBOvAgB+JDosV2Ak9dTA_PN#fZ&rzm4^isr6`Ef z3>^g&5Gf*vqJjlbq&Mk^jk3JSs!#TvJ-g?fv-{0C-#7Q0d(Zvm&j0?VhYNwmZot8Q z3}X~@2cH+X(ot;M=Q(3?I$teZ!`3|)WTBMd06-E1`O!RwqKyG}1QHIQU?4A=M=9Dk z`ZGVk1!S@i43LHJ2U&2tOavT&!-YgQ?{4Oo|D3C9Hf3~EOR}63{@owog~BaJydV!6 zVS_|t;ieWO0=Si9VEANBss20Gmf0+s>^=Eg2I0$8Jkzj0F>}Uvc`ewbd_SDG^pQrOm@c2rgPMEC z*1A31>_+-_H-F8xMhoV24jbRBR6Fl<$x>TSIN=xHuf8{Kr*A8)y!+;~w>i0D8`dFi z#G_k4-^A_G)JmiXnlX5RugDkb^HA>R?gz4%aJ5Jxm zs09Z{05IUX5oiDkK;KJJ5CGPYNCcegB#7nM@<=`qgXSin0ThZ0fdC~rn*vA?q%etZ zH4Jmlcto#8NcH8(PuC|?-j1!WG$bIX(f~|dEv$^YP~7*H>vI=bEhDLqu{VMOuVj>L zsKYm~&Nq6!bIud~bW2<`=~dQ57EygSxW7%FPfMZp+6R2<#4AI`#5>kc9Km}hHcUhb z%e7SmOK*3oI`BYF!$^8IMrE;ij=RTI&!XS3_(egWWkK?rlHgr49Vhh0FAf~+vNM#q zc?~SQ5W1qZC^mi-rTu^zqS=M{1LqRv!YRVrdd0{t2l z?fou&s6^=M)QaSTfXTj-`3$r+<1YH5CnKb~ZE5&;3|lEBV)v`;*;ehk%B?FsT|)S6 zn=b83Ie2FT`%pe$NXk08fMmlI~Qq+KCG?X z(ZyjhAAl@4Kg-`W2^Bmp6WSW~6s0EO0dCJ}xL-V#kU0 zlq0CRYOZ}sR#f)rBrzxITAFl?<=q*BEoouiCF0fO@S!$aJ_*rIL%YtBEes^=up1u#o%f0L!K?^F0%;Xyf9;>(5R?1e06X|Lw}{JC3~Eiq|BvE!a=)k}$9 z#Z4k>P9rY;eN!Gbywrw*op`^#Tl|xRmS+uWds)fbXXZ&!NUhmdLCcMg>RT5gdS;x45oBj+Ch9mi;Ffc1vAnY(qAEpZmaxjeLuo?v-paqoXY-~n~ zfg&e`BMqX_u**8iH_IQyeJCKdj$YwGfbJXzX{0mg2p-I|%e0NQ_GB>pcc`ic2L}^< ze<+jaO7m6q_wl0n2dKKzkE;GD3wbgKi4vN>%aUV5!h{xm&MrreL?{5H|M*t`0MY~E z-QgcL2#>b?uNmFxjDWwJlku1SL$ILIM#0e=myQ(e+n!&g_SQ*>x#_s(OgihV_~5Tv zWQ=p29eRxRB|$7tJo01Oqr!M@0|A8u4|X@0mGr(>Qei18t(dNS4vx}nJnE3 zZR^RDwvQkveTr2mSvtBfS>IKpJ3w2h!;bq2kBvP<#P3QG(nS0E*8(l?5^Nv zli&5OT2V#6_(l!>)NS-vluX9XJ0bl3K34Yw8^ndM<-;_dyr<7A1&%pZww@i4n8Vt1 zC*3J>(s{&NV()Ee+Bh(@g~=}xv0|rEs(V+A|LNQ;n_Ft%mzCyKvtG$rP~Kwu^}c`T z+*z7TzVz(LSERx+zwsvSu7RX_i-&%`UC(^ZT%@~Mv`*W^`PG|cpRn%FwxEd!wm`LVax?I`C*`&At%0n%F6w^65&cB$Mg0Hm-y$W**U=Q{v6- acLFA2Qq;k7)2|JE(jSjz4UdZE_Wl8L?@K8F literal 0 HcmV?d00001 diff --git a/PostSignedObjects/KEK/kek_update_map.json b/PostSignedObjects/KEK/kek_update_map.json index c2ec3a9..f42b7ca 100644 --- a/PostSignedObjects/KEK/kek_update_map.json +++ b/PostSignedObjects/KEK/kek_update_map.json @@ -791,6 +791,14 @@ "issued_by": "CN=JPik" } }, + "9f9c14b59d14ba2be810c697402643809e888e28": { + "KEKUpdate": "JDL/KEKUpdate_JDL_PK9F9C14B5.bin", + "Certificate": { + "serial_number": "172347c60d25f7a7414bec46aa3d1db3", + "issued_to": "CN=JDL PK 2021,O=Japan Digital Laboratory Co.\\, Ltd.,C=JP", + "issued_by": "CN=JDL PK 2021,O=Japan Digital Laboratory Co.\\, Ltd.,C=JP" + } + }, "c1604e286d306f082fc289ac121c480fb85b4bdf": { "KEKUpdate": "Juniper/KEKUpdate_Juniper_PK1.bin", "Certificate": { From 67dd6c46ae4d28d08260e4fb90adf1e64f3b1a34 Mon Sep 17 00:00:00 2001 From: Doug Flick Date: Wed, 8 Apr 2026 11:25:48 -0700 Subject: [PATCH 2/2] [Secure Boot KEK Update] MiTAC PK-Signed KEK Update - Correction Ref: https://github.com/microsoft/secureboot_objects/pull/374 These files were uploaded originally with the following ASN.1 structure, which includes an outer `ContentInfo` SEQUENCE: ``` ContentInfo ::= SEQUENCE { contentType id-signedData (1.2.840.113549.1.7.2), content [0] SignedData { ... } } ``` This is problematic because until recently, this was not supported by EDK2 based firmware. https://github.com/microsoft/mu_tiano_plus/commit/37d3eb026a766b2405daae47e02094c2ec248646 To achieve the most compatibility with existing firmware, the files have been stripped of the outer ContentInfo envelope and stores the **SignedData** SEQUENCE directly as `CertData`, starting at `30 82 05 82 02 01 01 ...` (version=1, ...). The `dwLength` field in `WIN_CERTIFICATE` was also decremented by 19 to |reflect the shorter `CertData`. Everything else (the `EFI_TIME`, GUID, `SignedData` contents, and the variable payload) is byte-identical. --- .../KEK/MiTAC/KEKUpdate_MiTAC_PK1.bin | Bin 2979 -> 2960 bytes .../KEK/MiTAC/KEKUpdate_MiTAC_PK2.bin | Bin 2979 -> 2960 bytes 2 files changed, 0 insertions(+), 0 deletions(-) diff --git a/PostSignedObjects/KEK/MiTAC/KEKUpdate_MiTAC_PK1.bin b/PostSignedObjects/KEK/MiTAC/KEKUpdate_MiTAC_PK1.bin index b7a50565103f595c20a13e944c7af75773bd956a..eee1809f6f067280ce71c74b93ccced8f8d663cf 100644 GIT binary patch delta 29 ecmZ21K0#dY7CSSWu%IXd49uG-D7Dcpl^Xz1a|KTT delta 46 vcmbOrzF1uF7CSSWu%IXd3~ZbzC?znJjZ>@5qwPB{BRkWACf2r%8X4RG(ryYo diff --git a/PostSignedObjects/KEK/MiTAC/KEKUpdate_MiTAC_PK2.bin b/PostSignedObjects/KEK/MiTAC/KEKUpdate_MiTAC_PK2.bin index fe9d6d777e291869e0f4e76d0044b5a0cbdeab10..3df730ae6ca829f824cf2fa3a78c77d7ec0bb2f7 100644 GIT binary patch delta 29 ecmZ21K0#dYIXk-$zp4xa49uG-D7Dcpl^Xz5sRe@o delta 46 vcmbOrzF1uFIXk-$zp4xa3~ZbzC?znJjZ>@5qwPB{BRkWACf2r%8X4RG+87FO