[Secure Boot KEK Update] JDL PK-Signed KEK Update#384
Conversation
|
@microsoft-github-policy-service agree company="Japan Digital Laboratory Co., Ltd." |
|
Apologies, I'm trying to get my workflow to directly comment. If you notice, the KEK validation shows that the signature is invalid - this matches your error “Incorrect authentication data: 0xC0000022".
So I'm going to push back on that - the strict variable consistency checks is simply signature validation. The same that my script does which is telling me by doing: pip install -r pip-requirements.txt
python scripts/validate_kek.py <path-to-kek-bin-file> -vNow the thing about validating a KEK payload is that we have to assume some things - namely that your PK is included in the Certificate section: python scripts/get_auth_var_signing_certificate.py KEKUpdate_JDL_PK9F9C14B5.bin
2026-04-03 17:05:48,165 - INFO - Signing certificate extracted successfully.
2026-04-03 17:05:48,165 - INFO - Certificate saved as 'KEKUpdate_JDL_PK9F9C14B5.bin.signing_certificate.der'
2026-04-03 17:05:48,165 - INFO - SHA1 thumbprint: 9f9c14b59d14ba2be810c697402643809e888e28
2026-04-03 17:05:48,165 - INFO - SHA256 thumbprint: aa6b73e923c4c70e47ba92da424ec3f78b950f15edb21437e449c1e1ca2ae0c3
2026-04-03 17:05:48,165 - INFO -
2026-04-03 17:05:48,165 - INFO - Certificate Information:
2026-04-03 17:05:48,165 - INFO - Serial Number: 172347c60d25f7a7414bec46aa3d1db3
2026-04-03 17:05:48,165 - INFO - Issued To: CN=JDL PK 2021,O=Japan Digital Laboratory Co.\, Ltd.,C=JPThen I have to assume that you're using the exact parameters: # Standard KEK parameters
KEK_NAME = "KEK"
KEK_GUID = "8be4df61-93ca-11d2-aa0d-00e098032b8c"
KEK_ATTRIBUTES = "NV,BS,RT,AT,AP"If this is not true, you will get an invalid signature error. This leads me to the conclusions something went wrong during creating your signing payload. But due to the nature of cryptography I can't tell you what. Comparison
I suspect something went wrong in your testing. LG python scripts/validate_kek.py -r PostSignedObjects/KEK/LG
INFO:root:Found 3 files to validate
INFO:root:Validating: KEKUpdate_LG_PK1.bin
INFO:root:Verifying authenticated variable: PostSignedObjects/KEK/LG/KEKUpdate_LG_PK1.bin
INFO:root:[+] Authenticated variable signature is VALID
INFO:root: Cryptographic Signature: VALID
INFO:root: Expected Payload: True
INFO:root:Validating: KEKUpdate_LG_PK2.bin
INFO:root:Verifying authenticated variable: PostSignedObjects/KEK/LG/KEKUpdate_LG_PK2.bin
INFO:root:[+] Authenticated variable signature is VALID
INFO:root: Cryptographic Signature: VALID
INFO:root: Expected Payload: True
INFO:root:Validating: KEKUpdate_LG_PK3.bin
INFO:root:Verifying authenticated variable: PostSignedObjects/KEK/LG/KEKUpdate_LG_PK3.bin
INFO:root:[+] Authenticated variable signature is VALID
INFO:root: Cryptographic Signature: VALID
INFO:root: Expected Payload: True
INFO:root:
============================================================
INFO:root:SUMMARY:
INFO:root: Total Files: 3
INFO:root: Valid: 3
INFO:root: Invalid: 0
INFO:root: Manufacturers: 1
INFO:root:
INFO:root:By Manufacturer:
INFO:root: root Total: 3 Valid: 3 Invalid: 0
INFO:root:============================================================
INFO:root:
Results saved to: PostSignedObjects/KEK/LG_validation_results.jsonMSI python scripts/validate_kek.py -r PostSignedObjects/KEK/MSI/
INFO:root:Found 3 files to validate
INFO:root:Validating: KEKUpdate_MSI_PK1.bin
INFO:root:Verifying authenticated variable:
INFO:root:[+] Authenticated variable signature is VALID
INFO:root: Cryptographic Signature: VALID
INFO:root: Expected Payload: True
INFO:root:Validating: KEKUpdate_MSI_PK2.bin
INFO:root:Verifying authenticated variable: PostSignedObjects/KEK/MSI/KEKUpdate_MSI_PK2.bin
INFO:root:[+] Authenticated variable signature is VALID
INFO:root: Cryptographic Signature: VALID
INFO:root: Expected Payload: True
INFO:root:Validating: KEKUpdate_MSI_PK3.bin
INFO:root:Verifying authenticated variable: PostSignedObjects/KEK/MSI/KEKUpdate_MSI_PK3.bin
INFO:root:[+] Authenticated variable signature is VALID
INFO:root: Cryptographic Signature: VALID
INFO:root: Expected Payload: True
INFO:root:
============================================================
INFO:root:SUMMARY:
INFO:root: Total Files: 3
INFO:root: Valid: 3
INFO:root: Invalid: 0
INFO:root: Manufacturers: 1
INFO:root:
INFO:root:By Manufacturer:
INFO:root: root Total: 3 Valid: 3 Invalid: 0
INFO:root:============================================================
INFO:root:
Results saved to: PostSignedObjects/KEK/MSI_validation_results.jsonRecommendationI would check that you followed steps outlined in OEM Certificate Key Rolling And if so use this script to validate before testing again on real hardware. If this reports success than I suspect you will be successful. pip install -r pip-requirements.txt
python scripts/validate_kek.py <path-to-kek-bin-file> -v |
|
Just for more information - your date time looks correct which is the other thing I would check. I would recommend pulling a fresh version of this repo and doing what I mentioned before just to reduce variables. python scripts/auth_var_tool.py describe KEKUpdate_JDL_PK9F9C14B5.bin
INFO:root:Payload SHA256: 5b85333c009d7ea55cbb6f11a5c2ff45ee1091a968504c929aed25c84674962f
INFO:root:Output: ./KEKUpdate_JDL_PK9F9C14B5.bin.authvar.txtEfiVariableAuthentication2
EfiTime: Saturday, March 06, 2010 07:17PM
-------------------- WIN_CERTIFICATE ---------------------
WIN_CERTIFICATE.dwLength = 00000548
WIN_CERTIFICATE.wRevision = 0200
WIN_CERTIFICATE.wCertificateType = 0EF1
WIN_CERTIFICATE_UEFI_GUID.cert_type = 4AAFD29D-68DF-49EE-8AA9-347D375665A7
sizeof (WIN_CERTIFICATE_UEFI_GUID.cert_data) = 00000530
------------------- CERTIFICATE DATA ---------------------
SignedData:
version=1
digestAlgorithms=DigestAlgorithmIdentifiers:
DigestAlgorithmIdentifier:
algorithm=2.16.840.1.101.3.4.2.1
parameters=0x0500
contentInfo=ContentInfo:
contentType=1.2.840.113549.1.7.1
certificates=ExtendedCertificatesAndCertificates:
ExtendedCertificateOrCertificate:
certificate=Certificate:
tbsCertificate=TBSCertificate:
version=v3
serialNumber=30755430035429026029560943843229900211
signature=AlgorithmIdentifier:
algorithm=1.2.840.113549.1.1.11
parameters=0x0500
issuer=Name:
=RDNSequence:
RelativeDistinguishedName:
AttributeTypeAndValue:
type=2.5.4.6
value=0x13024a50 ("JP")
RelativeDistinguishedName:
AttributeTypeAndValue:
type=2.5.4.10
value=0x0c224a6170616e204469676974616c204c61626f7261746f727920436f2e2c204c74642e ("Japan Digital Laboratory Co., Ltd.")
RelativeDistinguishedName:
AttributeTypeAndValue:
type=2.5.4.3
value=0x0c0b4a444c20504b2032303231 ("JDL PK 2021")
validity=Validity:
notBefore=Time:
utcTime=210909070033Z
notAfter=Time:
utcTime=310909071033Z
subject=Name:
=RDNSequence:
RelativeDistinguishedName:
AttributeTypeAndValue:
type=2.5.4.6
value=0x13024a50 ("JP")
RelativeDistinguishedName:
AttributeTypeAndValue:
type=2.5.4.10
value=0x0c224a6170616e204469676974616c204c61626f7261746f727920436f2e2c204c74642e ("Japan Digital Laboratory Co., Ltd.")
RelativeDistinguishedName:
AttributeTypeAndValue:
type=2.5.4.3
value=0x0c0b4a444c20504b2032303231 ("JDL PK 2021")
subjectPublicKeyInfo=SubjectPublicKeyInfo:
algorithm=AlgorithmIdentifier:
algorithm=1.2.840.113549.1.1.1
parameters=0x0500
subjectPublicKey=31795268810366627125471813500054789323801699238783875416889731653336119012005272118397572870165651230825759643747525936561619943290187989641962867027527122388586894953764939431590223997427414116259117193816807033123161359212168446847525128215153576202167149523997211807256001637884223892745034723929138948788881669510037877575223815395110236024318372736289283039513402830881187140131669472643723234414837391811389622509289407060339488033176013325937348804274796758346219300807229347654081093040682927396737649025650243808127687639953683387292870921241564725030093830862979097309684988583476719753829013974935589152264159439637713710451193519303360513
extensions=Extensions:
Extension:
extnID=2.5.29.15
critical=True
extnValue=0x03020780
Extension:
extnID=2.5.29.37
extnValue=0x300a06082b06010505070303
Extension:
extnID=2.5.29.14
extnValue=0x0414310cfd7c0abe48e542bc102fd580f6a3eb99dce7
signatureAlgorithm=AlgorithmIdentifier:
algorithm=1.2.840.113549.1.1.11
parameters=0x0500
signatureValue=6716512512708368031170986630566393423892085773470819104616667804733304106817833156987537834774136589678466830090225667369111960050679667551180291998465510158397800350670436177861288973884495373790653638581035684201413363108199082684554517917978271597390596149705596137536455018163234095645017924360936273284585757538932965190523454241947639440426165189664531605500939776221201329835302210524883159739790371691351838717380843915474363423187253145026935624184167641411236120735127876920648167586608455199421034319604828742466108164215123931488052827099658733114473427252286591923145921218493793095278936616442325143046
signerInfos=SignerInfos:
SignerInfo:
version=1
issuerAndSerialNumber=IssuerAndSerialNumber:
issuer=Name:
=RDNSequence:
RelativeDistinguishedName:
AttributeTypeAndValue:
type=2.5.4.6
value=0x13024a50 ("JP")
RelativeDistinguishedName:
AttributeTypeAndValue:
type=2.5.4.10
value=0x0c224a6170616e204469676974616c204c61626f7261746f727920436f2e2c204c74642e ("Japan Digital Laboratory Co., Ltd.")
RelativeDistinguishedName:
AttributeTypeAndValue:
type=2.5.4.3
value=0x0c0b4a444c20504b2032303231 ("JDL PK 2021")
serialNumber=30755430035429026029560943843229900211
digestAlgorithm=DigestAlgorithmIdentifier:
algorithm=2.16.840.1.101.3.4.2.1
parameters=0x0500
digestEncryptionAlgorithm=DigestEncryptionAlgorithmIdentifier:
algorithm=1.2.840.113549.1.1.1
parameters=0x0500
encryptedDigest=0x500d48d2037e90eba1dcb1acc9e2989a4320eaa6d5c591988eb72fce1cb39692184780145aeb42d09633d9d1f18fb985a47bcebf7fb4eab4c12d22ea38b36b7337168d0261ab087447748108757723b5e8274c393aa33067436d26181e4d85f0f8fba307914de0757da148229cd453ef559017eb861fbd8a60f2685b8515a4a5c4588e62ac169ab19da75b087b6dea9091809b3401e757c8c07325cb23af1a517b37028892cee2aa3b67b73d8707eb2f3715ba3d8135e41f2618c49bfd0bb2c8715d31f990980d98f4e9bd7fd78a11eda13e19013fed9779ab0c7f856789619790697ee15f69590f059b476077f6dc7cda444b117a65081853165b44e28eb169
-------------------- VARIABLE PAYLOAD --------------------
EfiSignatureList
Signature Type: a5c059a1-94e4-4aa7-87b5-ab155c2bf072
Signature List Size: 5e2
Signature Header Size: 0
Signature Size: 5c6
Signature Header: NONE
EfiSignatureData - EfiSignatureDataEfiCertX509
Signature Owner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
Signature Data:
0x00 - 0x30 0x82 0x05 0xb2 0x30 0x82 0x03 0x9a - 0xa0 0x03 0x02 0x01 0x02 0x02 0x13 0x33 0...0..........3
0x10 - 0x00 0x00 0x00 0x13 0x14 0x16 0xb8 0x61 - 0x6d 0x82 0x82 0x4b 0x00 0x00 0x00 0x00 .......am..K....
0x20 - 0x00 0x13 0x30 0x0d 0x06 0x09 0x2a 0x86 - 0x48 0x86 0xf7 0x0d 0x01 0x01 0x0b 0x05 ..0...*.H.......
0x30 - 0x00 0x30 0x5a 0x31 0x0b 0x30 0x09 0x06 - 0x03 0x55 0x04 0x06 0x13 0x02 0x55 0x53 .0Z1.0...U....US
0x40 - 0x31 0x1e 0x30 0x1c 0x06 0x03 0x55 0x04 - 0x0a 0x13 0x15 0x4d 0x69 0x63 0x72 0x6f 1.0...U....Micro
0x50 - 0x73 0x6f 0x66 0x74 0x20 0x43 0x6f 0x72 - 0x70 0x6f 0x72 0x61 0x74 0x69 0x6f 0x6e soft Corporation
0x60 - 0x31 0x2b 0x30 0x29 0x06 0x03 0x55 0x04 - 0x03 0x13 0x22 0x4d 0x69 0x63 0x72 0x6f 1+0)..U..."Micro
0x70 - 0x73 0x6f 0x66 0x74 0x20 0x52 0x53 0x41 - 0x20 0x44 0x65 0x76 0x69 0x63 0x65 0x73 soft RSA Devices
0x80 - 0x20 0x52 0x6f 0x6f 0x74 0x20 0x43 0x41 - 0x20 0x32 0x30 0x32 0x31 0x30 0x1e 0x17 Root CA 20210..
0x90 - 0x0d 0x32 0x33 0x30 0x33 0x30 0x32 0x32 - 0x30 0x32 0x31 0x33 0x35 0x5a 0x17 0x0d .230302202135Z..
0xa0 - 0x33 0x38 0x30 0x33 0x30 0x32 0x32 0x30 - 0x33 0x31 0x33 0x35 0x5a 0x30 0x5c 0x31 380302203135Z0\1
0xb0 - 0x0b 0x30 0x09 0x06 0x03 0x55 0x04 0x06 - 0x13 0x02 0x55 0x53 0x31 0x1e 0x30 0x1c .0...U....US1.0.
0xc0 - 0x06 0x03 0x55 0x04 0x0a 0x13 0x15 0x4d - 0x69 0x63 0x72 0x6f 0x73 0x6f 0x66 0x74 ..U....Microsoft
0xd0 - 0x20 0x43 0x6f 0x72 0x70 0x6f 0x72 0x61 - 0x74 0x69 0x6f 0x6e 0x31 0x2d 0x30 0x2b Corporation1-0+
0xe0 - 0x06 0x03 0x55 0x04 0x03 0x13 0x24 0x4d - 0x69 0x63 0x72 0x6f 0x73 0x6f 0x66 0x74 ..U...$Microsoft
0xf0 - 0x20 0x43 0x6f 0x72 0x70 0x6f 0x72 0x61 - 0x74 0x69 0x6f 0x6e 0x20 0x4b 0x45 0x4b Corporation KEK
0x100 - 0x20 0x32 0x4b 0x20 0x43 0x41 0x20 0x32 - 0x30 0x32 0x33 0x30 0x82 0x01 0x22 0x30 2K CA 20230.."0
0x110 - 0x0d 0x06 0x09 0x2a 0x86 0x48 0x86 0xf7 - 0x0d 0x01 0x01 0x01 0x05 0x00 0x03 0x82 ...*.H..........
0x120 - 0x01 0x0f 0x00 0x30 0x82 0x01 0x0a 0x02 - 0x82 0x01 0x01 0x00 0xe3 0x5e 0x88 0x8b ...0.........^..
0x130 - 0x73 0x2c 0xc3 0x0a 0xc4 0xe9 0xf5 0xce - 0x81 0x2d 0xf1 0x0f 0xf1 0x26 0x35 0x37 s,.......-...&57
0x140 - 0xd1 0x49 0x53 0x71 0xb1 0x5b 0x93 0x52 - 0xaf 0xe1 0x15 0xdf 0xde 0x8b 0x39 0xbd .ISq.[.R......9.
0x150 - 0xaf 0x4c 0x65 0x75 0x53 0xe5 0xda 0x0a - 0x32 0x98 0x2f 0x33 0x26 0xb6 0x2b 0xbe .LeuS...2./3&.+.
0x160 - 0x94 0x99 0x9f 0xec 0xda 0xc2 0x8e 0x05 - 0x34 0x92 0x13 0x0f 0x63 0xbf 0x74 0xa2 ........4...c.t.
0x170 - 0x72 0xa8 0x29 0x7e 0x9f 0x32 0x21 0x29 - 0x08 0x59 0xc4 0x77 0xc4 0x2a 0x92 0x4c r.)~.2!).Y.w.*.L
0x180 - 0x87 0xb6 0x03 0x37 0xeb 0x9a 0xe2 0xc3 - 0xc9 0xb4 0x48 0x21 0xc3 0x61 0x94 0xea ...7......H!.a..
0x190 - 0x17 0x51 0xb1 0xe7 0x14 0xe2 0x24 0x63 - 0x2e 0xd5 0xf2 0xc6 0xa5 0xf2 0xa2 0x5e .Q....$c.......^
0x1a0 - 0x1f 0x69 0xc6 0x51 0x0d 0xa7 0x29 0xfb - 0x52 0x0a 0x9b 0xe3 0x88 0xe8 0x68 0xff .i.Q..).R.....h.
0x1b0 - 0xbb 0xfa 0x92 0x69 0xaf 0xc4 0x16 0xff - 0x5d 0xe5 0x5f 0xe0 0xdf 0xec 0x66 0x55 ...i....]._...fU
0x1c0 - 0x0b 0x61 0xc2 0xac 0x3b 0x20 0x6e 0xdf - 0xb4 0x0d 0xeb 0x2b 0xc8 0xd0 0xc2 0x34 .a..; n....+...4
0x1d0 - 0x4e 0x82 0x96 0x39 0xee 0xf1 0x31 0x85 - 0x04 0x3d 0xef 0xd6 0x76 0xfb 0xc3 0xca N..9..1..=..v...
0x1e0 - 0xc1 0xd5 0x8c 0x2f 0x0b 0x10 0x28 0x9b - 0x48 0x9a 0xb0 0x10 0x14 0xa4 0xd9 0x94 .../..(.H.......
0x1f0 - 0xe5 0x68 0x5b 0xcd 0x6e 0xe7 0x7a 0xec - 0xbc 0xa0 0x49 0xb8 0xa9 0x53 0xd8 0x4d .h[.n.z...I..S.M
0x200 - 0x2f 0xb2 0x7b 0xc8 0xda 0xbc 0xb2 0xe7 - 0xfc 0xab 0x70 0x10 0x77 0x95 0x45 0x49 /.{.......p.w.EI
0x210 - 0xfd 0xad 0xd2 0x3f 0x17 0xcb 0x66 0x9a - 0xf2 0x7d 0x36 0xdd 0x0a 0x2c 0xe2 0xc0 ...?..f..}6..,..
0x220 - 0x87 0x21 0x2d 0x93 0xdb 0x08 0x96 0xd2 - 0xe8 0x5c 0x54 0xe1 0x02 0x03 0x01 0x00 .!-......\T.....
0x230 - 0x01 0xa3 0x82 0x01 0x6d 0x30 0x82 0x01 - 0x69 0x30 0x0e 0x06 0x03 0x55 0x1d 0x0f ....m0..i0...U..
0x240 - 0x01 0x01 0xff 0x04 0x04 0x03 0x02 0x01 - 0x86 0x30 0x10 0x06 0x09 0x2b 0x06 0x01 .........0...+..
0x250 - 0x04 0x01 0x82 0x37 0x15 0x01 0x04 0x03 - 0x02 0x01 0x00 0x30 0x1d 0x06 0x03 0x55 ...7.......0...U
0x260 - 0x1d 0x0e 0x04 0x16 0x04 0x14 0xe0 0xab - 0x72 0xbc 0x96 0x3e 0xff 0xb8 0x66 0x9b ........r..>..f.
0x270 - 0x7d 0x10 0x5a 0x43 0x3e 0x5c 0x42 0x54 - 0x87 0x5f 0x30 0x19 0x06 0x09 0x2b 0x06 }.ZC>\BT._0...+.
0x280 - 0x01 0x04 0x01 0x82 0x37 0x14 0x02 0x04 - 0x0c 0x1e 0x0a 0x00 0x53 0x00 0x75 0x00 ....7.......S.u.
0x290 - 0x62 0x00 0x43 0x00 0x41 0x30 0x0f 0x06 - 0x03 0x55 0x1d 0x13 0x01 0x01 0xff 0x04 b.C.A0...U......
0x2a0 - 0x05 0x30 0x03 0x01 0x01 0xff 0x30 0x1f - 0x06 0x03 0x55 0x1d 0x23 0x04 0x18 0x30 .0....0...U.#..0
0x2b0 - 0x16 0x80 0x14 0x84 0x44 0x86 0x06 0x00 - 0x98 0x3f 0x2c 0xaa 0xb3 0xc5 0x89 0xf3 ....D....?,.....
0x2c0 - 0xac 0x2e 0xc9 0xe6 0x9d 0x09 0x03 0x30 - 0x65 0x06 0x03 0x55 0x1d 0x1f 0x04 0x5e .......0e..U...^
0x2d0 - 0x30 0x5c 0x30 0x5a 0xa0 0x58 0xa0 0x56 - 0x86 0x54 0x68 0x74 0x74 0x70 0x3a 0x2f 0\0Z.X.V.Thttp:/
0x2e0 - 0x2f 0x77 0x77 0x77 0x2e 0x6d 0x69 0x63 - 0x72 0x6f 0x73 0x6f 0x66 0x74 0x2e 0x63 /www.microsoft.c
0x2f0 - 0x6f 0x6d 0x2f 0x70 0x6b 0x69 0x6f 0x70 - 0x73 0x2f 0x63 0x72 0x6c 0x2f 0x4d 0x69 om/pkiops/crl/Mi
0x300 - 0x63 0x72 0x6f 0x73 0x6f 0x66 0x74 0x25 - 0x32 0x30 0x52 0x53 0x41 0x25 0x32 0x30 crosoft%20RSA%20
0x310 - 0x44 0x65 0x76 0x69 0x63 0x65 0x73 0x25 - 0x32 0x30 0x52 0x6f 0x6f 0x74 0x25 0x32 Devices%20Root%2
0x320 - 0x30 0x43 0x41 0x25 0x32 0x30 0x32 0x30 - 0x32 0x31 0x2e 0x63 0x72 0x6c 0x30 0x72 0CA%202021.crl0r
0x330 - 0x06 0x08 0x2b 0x06 0x01 0x05 0x05 0x07 - 0x01 0x01 0x04 0x66 0x30 0x64 0x30 0x62 ..+........f0d0b
0x340 - 0x06 0x08 0x2b 0x06 0x01 0x05 0x05 0x07 - 0x30 0x02 0x86 0x56 0x68 0x74 0x74 0x70 ..+.....0..Vhttp
0x350 - 0x3a 0x2f 0x2f 0x77 0x77 0x77 0x2e 0x6d - 0x69 0x63 0x72 0x6f 0x73 0x6f 0x66 0x74 ://www.microsoft
0x360 - 0x2e 0x63 0x6f 0x6d 0x2f 0x70 0x6b 0x69 - 0x6f 0x70 0x73 0x2f 0x63 0x65 0x72 0x74 .com/pkiops/cert
0x370 - 0x73 0x2f 0x4d 0x69 0x63 0x72 0x6f 0x73 - 0x6f 0x66 0x74 0x25 0x32 0x30 0x52 0x53 s/Microsoft%20RS
0x380 - 0x41 0x25 0x32 0x30 0x44 0x65 0x76 0x69 - 0x63 0x65 0x73 0x25 0x32 0x30 0x52 0x6f A%20Devices%20Ro
0x390 - 0x6f 0x74 0x25 0x32 0x30 0x43 0x41 0x25 - 0x32 0x30 0x32 0x30 0x32 0x31 0x2e 0x63 ot%20CA%202021.c
0x3a0 - 0x72 0x74 0x30 0x0d 0x06 0x09 0x2a 0x86 - 0x48 0x86 0xf7 0x0d 0x01 0x01 0x0b 0x05 rt0...*.H.......
0x3b0 - 0x00 0x03 0x82 0x02 0x01 0x00 0x85 0x02 - 0x06 0x12 0xfa 0x67 0xae 0x4f 0x39 0xa9 ...........g.O9.
0x3c0 - 0xb8 0x34 0xdc 0x5d 0x2a 0x78 0x19 0x7b - 0x38 0xee 0x9c 0x82 0x8f 0x1b 0xe2 0x3c .4.]*x.{8......<
0x3d0 - 0x3d 0x32 0x0a 0x5e 0xbf 0x58 0x06 0xe7 - 0x6f 0xf8 0x8d 0x18 0xa8 0x1b 0x84 0xf5 =2.^.X..o.......
0x3e0 - 0x9b 0xca 0xad 0x8b 0x08 0x44 0x0e 0x26 - 0x8d 0x2c 0xd8 0x5f 0x6e 0x23 0x25 0x07 .....D.&.,._n#%.
0x3f0 - 0xfa 0x5b 0x4c 0x26 0x2e 0x76 0x31 0x43 - 0x2e 0x6e 0xe8 0xc8 0x31 0xc1 0x4a 0xd2 .[L&.v1C.n..1.J.
0x400 - 0xf2 0x02 0xb7 0xa6 0xf1 0x75 0xe4 0x96 - 0xed 0x06 0xe2 0xca 0x95 0x78 0x44 0xa8 .....u.......xD.
0x410 - 0x33 0x76 0xd4 0x2b 0x4d 0xd7 0xbc 0xdc - 0x87 0x3b 0xab 0x4d 0x29 0xad 0x96 0x89 3v.+M....;.M)...
0x420 - 0xb7 0xd5 0xc2 0x8f 0xab 0x46 0xc3 0x5d - 0xb3 0xfd 0xed 0xa5 0x9e 0xf5 0x76 0xb7 .....F.]......v.
0x430 - 0x2b 0x85 0xff 0x98 0xa1 0x9f 0x6b 0x1c - 0x9b 0x3e 0xf7 0xee 0x0e 0x17 0xa3 0xfd +.....k..>......
0x440 - 0x36 0x2f 0xe1 0xcd 0x28 0x98 0x1c 0x40 - 0x99 0x26 0xca 0x03 0x8d 0xa6 0x35 0xea 6/..(..@.&....5.
0x450 - 0xd2 0x0a 0xa7 0x8b 0x16 0xae 0x21 0x01 - 0x00 0x1e 0x27 0x0f 0xb7 0x0e 0xb2 0x42 ......!...'....B
0x460 - 0x31 0x56 0x2e 0xe6 0xf8 0x8e 0xea 0x0c - 0x34 0xf0 0x4e 0xdf 0x70 0x30 0x69 0x04 1V......4.N.p0i.
0x470 - 0xd1 0xcf 0xd3 0x9c 0x64 0x46 0x6f 0xcc - 0x21 0xcd 0xcb 0xef 0x05 0x32 0xbb 0x08 ....dFo.!....2..
0x480 - 0xa6 0xd8 0x9f 0x45 0x38 0x5d 0x4e 0xd2 - 0x9c 0x92 0x89 0xe9 0x73 0xe4 0x7a 0x08 ...E8]N.....s.z.
0x490 - 0x35 0x1e 0x4f 0xa6 0xc2 0xba 0x6b 0x3e - 0xb7 0x1f 0x54 0x34 0x49 0xfa 0xb4 0x7a 5.O...k>..T4I..z
0x4a0 - 0xcb 0xda 0xa0 0x1f 0x59 0x81 0x2b 0x2a - 0xf6 0x88 0x26 0xb0 0xfa 0x6c 0xf2 0xeb ....Y.+*..&..l..
0x4b0 - 0xc1 0xd8 0xae 0x41 0xe1 0x6f 0xfc 0xbf - 0x13 0xe8 0x6e 0x14 0xe7 0xe7 0xc7 0x03 ...A.o....n.....
0x4c0 - 0x8b 0x40 0x99 0x10 0x38 0x06 0x6d 0x70 - 0xbd 0x01 0xc8 0xde 0x8d 0x56 0x1d 0x38 .@..8.mp.....V.8
0x4d0 - 0x0f 0x4f 0x23 0xa8 0x25 0x40 0xde 0xbb - 0x28 0x2d 0x43 0xaf 0xa4 0xbc 0x20 0x83 .O#.%@..(-C... .
0x4e0 - 0xb5 0x06 0xf9 0x05 0x21 0x9f 0x3b 0xb9 - 0x79 0x0d 0x70 0x6b 0x53 0xc0 0x75 0xc2 ....!.;.y.pkS.u.
0x4f0 - 0x1b 0x10 0x13 0xb3 0xe4 0x6f 0x09 0xa8 - 0xcf 0xd1 0xb7 0x0e 0x71 0x5c 0xb7 0xc9 .....o......q\..
0x500 - 0x8f 0xe5 0x1c 0xf0 0x13 0x55 0xd9 0x93 - 0xb9 0xae 0x5d 0x3f 0xca 0x0b 0xb0 0x59 .....U....]?...Y
0x510 - 0x6a 0x45 0x4a 0xc3 0xe1 0xe3 0x27 0x78 - 0x0d 0x16 0x81 0xfc 0x58 0x2d 0xb1 0x41 jEJ...'x....X-.A
0x520 - 0xba 0x18 0x0d 0xcf 0xf0 0xef 0xab 0x08 - 0x1e 0x4f 0xf8 0xfc 0xc6 0xfd 0x4b 0xdd .........O....K.
0x530 - 0x1d 0xef 0x30 0x25 0x50 0x39 0xa3 0xdf - 0xfe 0x3f 0xb9 0xfa 0xeb 0x96 0x97 0xd0 ..0%P9...?......
0x540 - 0xcd 0xf9 0x04 0x26 0xfb 0x0d 0x48 0x19 - 0x08 0xd8 0xe1 0x93 0xc1 0x50 0xc7 0x6e ...&..H......P.n
0x550 - 0x6d 0xd8 0xd0 0x6b 0x8e 0x95 0x72 0x64 - 0x50 0xc9 0xed 0x55 0x89 0x6e 0xc1 0x4b m..k..rdP..U.n.K
0x560 - 0xa2 0x06 0xd4 0x32 0xb5 0xa9 0x6d 0x65 - 0x01 0x7a 0xf1 0x52 0x57 0x18 0x05 0x30 ...2..me.z.RW..0
0x570 - 0x5c 0xb8 0x28 0x66 0x11 0xb7 0x7a 0xf0 - 0x71 0x4e 0x86 0x61 0x60 0x7a 0x6d 0x56 \.(f..z.qN.a`zmV
0x580 - 0xc7 0x5b 0x09 0x3e 0xa2 0xef 0xd4 0x0e - 0x9e 0x92 0xd3 0x1f 0x99 0xf6 0x9d 0xb1 .[.>............
0x590 - 0x1d 0x78 0x78 0x6b 0xff 0xe8 0x2a 0x04 - 0xaf 0x78 0x67 0x3e 0xf0 0x2a 0x0b 0xa7 .xxk..*..xg>.*..
0x5a0 - 0xe0 0x5d 0x01 0xe9 0x87 0x99 0x35 0x30 - 0x90 0xed 0xd7 0x45 0x6b 0x9c 0xcc 0xe6 .]....50...Ek...
0x5b0 - 0xa2 0xe4 0xe6 0x17 0xa7 0xdd ......
|
|
Thank you for your guidance. I have identified that the Cryptographic Signature: INVALID error was caused by using the repository at version v1.5.1. After switching to v1.6.4 and re-generating the binary, I ran the validation script: PowerShell I have uploaded the updated binary (KEKUpdate_JDL_PK9F9C14B5.bin) to this PR. You should now be able to verify the correct hash and signature on your end. However, I am still encountering the following error during Step 6 (applying the update via PowerShell) on the target machine: "Authentication data is invalid: 0xC0000022" (STATUS_ACCESS_DENIED / EFI_SECURITY_VIOLATION) Even though the binary is cryptographically valid and the PK on the target machine is already set to our own custom key, the Set-SecureBootUEFI command continues to fail in Secure Boot User Mode. Could you please advise on what might be causing this persistent 0xC0000022 error? Any insights would be greatly appreciated. |
Looks like you have pushed the updated one to your main branch and not the branch of this PR. |
Thanks for pointing this out. I can see that your payload is valid - so that's good news I don't suspect anything else would be wrong here.
Could you paste the exact commands you are trying and if you are in an administrative PowerShell terminal? Additionally, could you run Get-SecureBootUEFI -Name PK -OutputFilePath PK.binAnd provide the bin file? I just want to double check that the PK is set correctly. Sadly, the error emits from the firmware - not from Windows so at this stage we either need DEBUG logs from the device or we'll have to guess about how we expect the firmware to behave. |
|
Thank you for your detailed guidance and for pointing out that I had mistakenly pushed the update to the main branch instead of the PR branch. This has now been corrected, and the validated binary has been pushed to the feature/auth_var/cryptographic_validation branch. Step 6 has also been successfully completed by following Step 3 Option B (External Signing) rather than Option A. Using SignTool.exe as described in Option B produced a binary that the target UEFI firmware was able to validate correctly in Secure Boot User Mode. Summary of actions taken: Signing Method: Signed the KEK using SignTool.exe (Windows SDK) following Option B Verification: Confirmed the final binary using validate_kek.py (signature VALID, Expected Payload: True) Application: Successfully applied the update via Set-SecureBootUEFI in an elevated PowerShell session The PR has been updated with the correct binary in the appropriate branch. |
That's a newly created branch. The correct branch for this PR is |
|
Thank you very much for pointing that out. You are absolutely correct — I mistakenly pushed the update to a newly created branch instead of the intended PR branch (kek-update/jdl). I have now corrected this and pushed the validated v1.6.4 binary to the appropriate branch. I appreciate you taking the time to review my PR and for providing the guidance needed to get it back on track. Thank you. |
Primary Author: From: HagiwaraHW <hard3.hs2@jdl.co.jp> REF: microsoft#384
Primary Author: From: HagiwaraHW <hard3.hs2@jdl.co.jp> REF: microsoft#384
Primary Author: From: HagiwaraHW <hard3.hs2@jdl.co.jp> REF: microsoft#384
@HagiwaraHW Thanks for going back and forth with me! I'm going to go ahead and upload this in another PR with a reference back to here. |
|
Thank you for your support and for offering to handle the new PR. I really appreciate your help in finalizing this. Just to confirm, is there anything else I need to do on my end? If not, I'll leave the rest to you. Thanks again for all your guidance throughout this process. |
|
Nope at this point you can leave the rest to me! |
|
Merged! |
|
Mirrored to the LVFS as https://fwupd.org/lvfs/firmware/132781 |
4 participants
OEM Certificate Submission
OEM Name: JDL (Japan Digital Laboratory Co., Ltd.)
Contact Email: hard3.hs2@jdl.co.jp
Certificate Details
Testing Completed
Security Review
Additional Notes
During validation on our JDL hardware, we received the error message “Incorrect authentication data: 0xC0000022” at Step 6.
Our technical analysis indicates that this error is caused by the strict variable consistency checks required by the UEFI specification when the platform is in Secure Boot User Mode, rather than by any issue with the update file itself.
We have confirmed that the update applies successfully and without issues when the platform is in Secure Boot Setup Mode.
note:
For comparison testing, we downloaded PK‑signed KEK update files for other vendors (LG and MSI) from /secureboot_objects/PostSignedObjects/KEK/ and attempted to apply them on their respective hardware.
These tests also returned the 0xC0000022 error, producing the same result as on JDL hardware.
From this, we infer that the cause is a limitation inherent to standard UEFI environments.