[Secure Boot KEK Update] Microsoft PK-Signed KEK Update

[Flickdm]

Description

When this file was originally created, somehow it generated an invalid signature and would fail when applied.

This was corrected in Windows Update. However, I am publishing that change here to reflect that change.

For details on how to complete these options and their meaning refer to CONTRIBUTING.md.

• Impacts functionality?
• Impacts security?
• Breaking change?
• Includes tests?
• Includes documentation?

How This Was Tested

Hyper-V

Integration Instructions

There were additional changes required to support PK-Signed KEK updates for HyperV that were a part of the March 3B release.

[hughsie]

@Flickdm this KEK fast-failed on the LVFS -- it's only working for ~20% of the 230 people that attempted it. I've attached the report JSON -- comparing the good:bad reports there are tiny differences like Intel Xeon Silver 4110 CPU @ 2.10GHz vs Intel Xeon CPU E5-2690 0 @ 2.90GHz -- both otherwise completely identical.

Most failures seem to be Read-only file system which could either be efivarfs being mounted ro (but then you'd expect that we'd see this failure for all the other KEK updates too) or that the "firmware" is returning with -EROFS when we attempt the write. Any ideas?

[hughsie]

export.json

[Flickdm]

@hughsie

https://support.microsoft.com/en-us/topic/known-issues-and-resolutions-for-secure-boot-certificates-updates-5813673d-2577-4718-ad28-2554a9178e40

This is a known issue that we're looking ito!