v1.6.0

⚠️ IMPORTANT

Signed DBX and Revocations have been updated to include the revocations for Igel* - see #272

Updating post signed folder with signed DB update packages for 3P UEFI CA and Option ROM CA - see
#226

Bumping SVN revocation for Windows bootmgr from 5 to 7 - see
#263

What's Changed

• Updating Post signed DBX folder with latest revocation of vulnerable IGEL shims @SochiOgbuanya (#272)
  
  Change Details

    ## Description

  Secure Boot Bypass due to vulnerable IGEL Linux shims

  Attacker who has gained physical access to the device can plant vulnerable shims that allow loading older Linux loader which in turn loads unsigned Kernel. It is integrity bypass for boot code.

  • Impacts functionality?
  • Impacts security?
  • Breaking change?
  • Includes tests?
  • Includes documentation?

  How This Was Tested

  Verified by trying to boot using vulnerable IGEL boot module to ensure the modules are blocked from booting on Secure boot enabled system

  Integration Instructions

  N/A

    </blockquote>
    <hr>
  </details>
  

• Clean up Post Signed Objects Branch @Flickdm (#265)
  
  Change Details

    ## Description

  Cleaning up documentation to point to the Wiki.

  Additionally,

  • Deleted uncessary copy of kek_update_map.json
  • Fixing auth_var_tool.py so it creates the output folder if it doesn't exist

  For details on how to complete these options and their meaning refer to CONTRIBUTING.md.

  • Impacts functionality?
  • Impacts security?
  • Breaking change?
  • Includes tests?
  • Includes documentation?

  How This Was Tested

  Local testing to verify functionality of wiki

  Integration Instructions

  N/A
  

  
  

  ---

  
  

• Bumping SVN revocation for Windows bootmgr from 5 to 7 @SochiOgbuanya (#263)
  
  Change Details

    ## Description

  Windows bootmgr svn revocation bumped from 5 to 7 as Windows Boot Manager can be rolled back to previous vulnerable version to trigger Secure boot rollback.

  For details on how to complete these options and their meaning refer to CONTRIBUTING.md.

  • Impacts functionality? No
  • Impacts security? Yes
  • Breaking change?
  • Includes tests? No
  • Includes documentation? No

  How This Was Tested

  Booted to latest Windows version and blocked affected versions

  Integration Instructions

  N/A

    </blockquote>
    <hr>
  </details>
  

• Update InstallSecureBootKeys.ps1 @serock (#246)
  
  Change Details

    Fixes #245

  Description

  Changed "$esult" to "$Result" so that the script can properly determine if the DBX was enrolled successfully.

  • Impacts functionality?
  • Impacts security?
  • Breaking change?
  • Includes tests?
  • Includes documentation?

  How This Was Tested

  Tested on a Dell Inspiron 3847 with the MicrosoftAndThirdParty/Firmware files from https://github.com/microsoft/secureboot_objects/releases/download/v1.5.1/edk2-x64-secureboot-binaries.zip and a customized DBX.bin file.

  Integration Instructions

  N/A

    </blockquote>
    <hr>
  </details>
  

• Feature: Authenticated Variable Tooling @Flickdm (#236)
  
  Change Details

    ## Description This pull request introduces two major updates: a CLI utility for working with secure boot objects in the operating system and a test script to generate test certificates to debug and work with a platform. These scripts can be used to perform the full end to end secure boot workflow in two configurations - local signing, or remote signing.

  Full chain usage will be added to the WIKI and a link will be added here.

  • Impacts functionality?
  • Impacts security?
  • Breaking change?
  • Includes tests?
  • Includes documentation?
    https://github.com/microsoft/secureboot_objects/wiki/Secure-Boot-Workflow#secure-boot-workflow-setup-mode-key-installation-and-management

  How This Was Tested

  Local Testing on Devkit

  Integration Instructions

  N/A
  

  
  

  ---

  
  

• Fix "Lable" misspelling in Make2023BootableMedia.ps1 @[copilot-swe-agent[bot]](https://github.com/apps/copilot-swe-agent) (#221)
  
  Change Details

    Fixed multiple spelling errors in the PowerShell script `Make2023BootableMedia.ps1`:

  Primary fix:

  • Corrected ISO_Lable to ISO_Label throughout the script (4 occurrences on lines 230, 718, 719, and 725)
  • This ensures consistency with the correctly spelled variable declaration on line 806

  Additional spelling corrections:

  • Fixed "Avalable" to "Available" in ADK requirement message (line 76)
  • Fixed "defualt" to "default" in comment (line 717)
  • Fixed "$ISOLable" to "$ISOLabel" in comment (line 717)

  The variable name inconsistency could have caused runtime errors when the script attempts to reference $global:ISO_Label but some parts of the code were setting $global:ISO_Lable. All variable references now use the correct spelling ISO_Label.

  Fixes #220.

  ---

  💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.
  

  
  

  ---

  
  

• Updating Post signed folder with signed db update packages for 3P CAs. @SochiOgbuanya (#226)
  
  Change Details

    ## Description

  Updating post signed folder with signed DB update packages for 3P UEFI CA and Option ROM CA

  Added db update packages for 3P UEFI CA 2023 and Option ROM CA 2023 to post signed folder.
  Moved older json to archives.

  • Impacts functionality?
  • Impacts security?
  • Breaking change?
  • Includes tests?
  • Includes documentation?

  How This Was Tested

  Updated on local machines and @hughsie tested via fwupd

  Integration Instructions

  FIrmware does not require this payload however third party operating systems may
  

  
  

  ---

  
  

• Create pipeline to validate DBX JSON certificate references @[copilot-swe-agent[bot]](https://github.com/apps/copilot-swe-agent) (#225)
  
  Change Details

    This PR implements a validation pipeline to ensure that DBX JSON files reference certificate files that actually exist in the `PreSignedObjects/DBX/Certificates` folder.

  Problem

  When new DBX JSON files are created, the internal certificate names referenced in the JSON don't always match the external filenames in the Certificates folder, and there was no validation to catch these mismatches. For example, the current dbx_info_msft_06_10_25.json references WindowsProduction2011.cer but the actual file is named MicWinProPCA2011_2011-10-19.der.

  Solution

  Added a new validation script and CI pipeline step that:

  1. Finds the latest DBX JSON file - Automatically locates dbx_info_msft_<date>.json files
  2. Validates certificate references - Checks that all certificates listed in the "certificates" array actually exist in the Certificates folder
  3. Provides clear error messages - Shows exactly which certificates are missing and lists available files for debugging
  4. Handles edge cases - Gracefully handles missing certificates sections, malformed JSON, etc.

  Changes Made

  New Files

  • scripts/validate_dbx_references.py - Main validation script with CLI interface
  • scripts/test_validate_dbx_references.py - Comprehensive unit tests (7 test cases)

  CI Integration

  • Added validation step to .github/workflows/prepare-binaries.yml after unit tests
  • Pipeline will now fail on PR/release if certificate references are invalid

  Other

  • Fixed .gitignore to properly exclude __pycache__ directories
  • Removed accidentally committed cache files

  Testing

  # Current mismatch is detected
  $ python scripts/validate_dbx_references.py PreSignedObjects/DBX
  ERROR: Certificate file 'WindowsProduction2011.cer' referenced in JSON but not found in PreSignedObjects/DBX/Certificates
  INFO: Available certificate files:
  INFO:   - MicWinProPCA2011_2011-10-19.der
  
  # All unit tests pass
  $ pytest scripts/test_validate_dbx_references.py
  7 passed in 0.01s

  The validation script successfully detects the existing mismatch and will prevent similar issues in the future through automated CI checks.

  Fixes #224.

  ---

  💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.
  

  
  

  ---

  
  

• Make2023BootableMedia.ps1 handle spaces in ISOPath @christophvw (#210)
  
  Change Details

    ## Description Make2023BootableMedia.ps1 handle spaces in ISOPath

    </blockquote>
    <hr>
  </details>
  

• Fix dbx\_info\_msft\_06\_10\_25.json cert file name @dinhngtu (#223)
  
  Change Details

    Fixes: eb36a97 ("Updating DBX update package with the latest revocations")

  Description

  eb36a97 broke the dbx_info.json certificate file name again.

  For details on how to complete these options and their meaning refer to CONTRIBUTING.md.

  • Impacts functionality?
  • Impacts security?
  • Breaking change?
  • Includes tests?
  • Includes documentation?

  How This Was Tested

  N/A

  Integration Instructions

  N/A

    </blockquote>
    <hr>
  </details>
  

Full Changelog: v1.5.1...v1.5.2

What's Changed

• Fix dbx_info_msft_06_10_25.json cert file name by @dinhngtu in #223
• Make2023BootableMedia.ps1 handle spaces in ISOPath by @christophvw in #210
• Create pipeline to validate DBX JSON certificate references by @Copilot in #225
• pip: bump ruff from 0.11.12 to 0.12.0 by @dependabot[bot] in #227
• Repo File Sync: synced file(s) with microsoft/mu_devops by @mu-automation[bot] in #229
• pip: bump pytest from 8.4.0 to 8.4.1 by @dependabot[bot] in #228
• Updating Post signed folder with signed db update packages for 3P CAs. by @SochiOgbuanya in #226
• Fix "Lable" misspelling in Make2023BootableMedia.ps1 by @Copilot in #221
• Repo File Sync: Update to Mu DevOps v15.0.3 by @mu-automation[bot] in #235
• pip: bump ruff from 0.12.0 to 0.12.1 by @dependabot[bot] in #234
• pip: bump ruff from 0.12.1 to 0.12.2 by @dependabot[bot] in #237
• Feature: Authenticated Variable Tooling by @Flickdm in #236
• pip: bump ruff from 0.12.2 to 0.12.3 by @dependabot[bot] in #239
• pip: bump ruff from 0.12.3 to 0.12.4 by @dependabot[bot] in #240
• pip: bump ruff from 0.12.4 to 0.12.7 by @dependabot[bot] in #241
• pip: bump ruff from 0.12.7 to 0.12.8 by @dependabot[bot] in #244
• Update InstallSecureBootKeys.ps1 by @serock in #246
• pip: bump ruff from 0.12.8 to 0.12.9 by @dependabot[bot] in #247
• Repo File Sync: Update to Mu DevOps v16.0.0 by @mu-automation[bot] in #248
• pip: bump ruff from 0.12.9 to 0.12.10 by @dependabot[bot] in #249
• Repo File Sync: Update workflows to mu_devops v17 by @mu-automation[bot] in #251
• Repo File Sync: Update workflows to v17.0.1 by @mu-automation[bot] in #252
• pip: bump ruff from 0.12.10 to 0.12.11 by @dependabot[bot] in #253
• GitHub Action: Bump actions/setup-python from 5 to 6 by @dependabot[bot] in #254
• pip: bump pytest from 8.4.1 to 8.4.2 by @dependabot[bot] in #256
• pip: bump ruff from 0.12.11 to 0.12.12 by @dependabot[bot] in #257
• Repo File Sync: Update to Mu DevOps v18.0.0 by @mu-automation[bot] in #258
• pip: bump ruff from 0.13.0 to 0.13.1 by @dependabot[bot] in #259
• Bumping SVN revocation for Windows bootmgr from 5 to 7 by @SochiOgbuanya in #263
• pip: bump ruff from 0.13.1 to 0.13.2 by @dependabot[bot] in #262
• Clean up Post Signed Objects Branch by @Flickdm in #265
• pip: bump edk2-pytool-library from 0.23.2 to 0.23.8 by @dependabot[bot] in #266
• pip: bump edk2-pytool-extensions from 0.29.2 to 0.30.2 by @dependabot[bot] in #268
• pip: bump ruff from 0.13.2 to 0.14.0 by @dependabot[bot] in #267
• Repo File Sync: Update deps ignored in dependabot config by @mu-automation[bot] in #269
• pip: bump edk2-pytool-extensions from 0.30.2 to 0.30.3 by @dependabot[bot] in #271
• Updating Post signed DBX folder with latest revocation of vulnerable IGEL shims by @SochiOgbuanya in #272

New Contributors

• @dinhngtu made their first contribution in #223
• @christophvw made their first contribution in #210
• @Copilot made their first contribution in #225
• @serock made their first contribution in #246

Full Changelog: v1.5.1...v1.6.0