What's Changed
-
scripts: fix compute\_authenticode\_hash for unsigned PEs @jeremy-compostella (#440)
Change Details
When the PE has no attached certificate the security data directory fields VirtualAddress and Size are both 0. The previous unconditional slicing:
pe_data[certificate_table_offset + 0x08 : 0] # -> empty + pe_data[0 + 0 :] # -> whole file re-appendedproduced a wrong digest for unsigned images.
Add an explicit branch: when VirtualAddress == 0, hash only the bytes that follow the 8-byte cert-dir data-directory entry, which is the correct tail of an unsigned PE image.
Description
When the PE has no attached certificate the security data directory
fields VirtualAddress and Size are both 0. The previous unconditional
slicing:pe_data[certificate_table_offset + 0x08 : 0] # -> empty + pe_data[0 + 0 :] # -> whole file re-appendedproduced a wrong digest for unsigned images.
How This Was Tested
Generate Authenticode for an unsigned EFI binary and verify successful verification once enrolled in the DB.
Integration Instructions
N/A
</blockquote> <hr> </details>
-
Fix bootmgr SVN dateOfLastChange and CVE description (#444) @Flickdm (#445)
Change Details
## Description
The SVN bump from 8.0 to 9.0 (a728996) updated the value and version of the bootmgfw.efi SVN entry but left dateOfLastChange at the 8.0 date (2026-04-10) and the description at the old CVE (CVE-2023-24932).
Update both fields to match the June 9, 2026 KB5094126 rollout:
-
dateOfLastChange: 2026-04-10 -> 2026-05-21
-
description: CVE-2023-24932 -> CVE-2026-45654
-
Impacts functionality?
-
Impacts security?
-
Breaking change?
-
Includes tests?
-
Includes documentation?
How This Was Tested
verified that the json was valid
Integration Instructions
N/A
-
-
Add 7 additional Microsoft Surface KEK update packages: @jorticus-msft (#437)
Change Details
## Description
Add KEK update binaries for the following Surface PK thumbprints:
-
PK19: 4484F86E (SH2 2022 UEFI PK Signer)
-
PK20: 999B48E3 (AFF UEFI PK CA 2015)
-
PK21: CB8F3251 (LFF 3 Firmware CA 2016)
-
PK22: 5EAE312B (LFF 3 UEFI PK Signer)
-
PK23: C35BFE0D (NFF UEFI PK Signer)
-
PK24: E8DFD45C (LFF 2 UEFI PK CA 2014)
-
PK25: F4BC8D56 (XLFF UEFI PK CA 2014)
-
Impacts functionality?
-
Impacts security?
-
Breaking change?
-
Includes tests?
-
Includes documentation?
How This Was Tested
Tested on Surface devices associated with each thumbprint. No adverse effects to SecureBoot, Secured Core, or Bitlocker.
Integration Instructions
N/A
</blockquote> <hr> </details> -
-
[CVE-2026-8863] bump bootmgfw svn to v9, add 12 new x64 dbx hashes @olkorsha (#429)
Change Details
## Description
Bump bootmgfw svn to v9
Add 11 latest x64 dbx hashes
Add missing EasyFix hash from previous releasededupe and update DBXUpdateSVN.bin
update DBXUpdate.bin
-
Addressing missing bucket attribute information in 5B High confidence buckets csv @SochiOgbuanya (#414)
Change Details
Description
Addressing missing bucket attribute information in 5B High confidence buckets csv
<Include a description of the change and why this change was made.>
Previous csv was missing: OEMModelSystemVersion,FirmwareManufacturer,FirmwareVersion,FirmwareReleaseDate
These files have been updated to include the full list of bucket attributes: BA_BucketId,OSArchitecture,OEMName,OEMManufacturerName,BaseBoardManufacturer,OEMModelSystemFamily,OEMModelBaseBoard,OEMModelBaseBoardVersion,OEMModelSKU,OEMModelNumber,OEMModelSystemVersion,FirmwareManufacturer,FirmwareVersion,FirmwareReleaseDate
For details on how to complete these options and their meaning refer to CONTRIBUTING.md.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested
<Describe the test(s) that were run to verify the changes.>
Integration Instructions
<Describe how these changes should be integrated. Use N/A if nothing is required.>
</blockquote> <hr> </details>
-
Updating High Confidence Buckets for 5B Windows LCU @SochiOgbuanya (#412)
Change Details
## Description
Updated the high confidence buckets to include new bucket data shipped for 5B windows LCU. Files are too large for GitHub UI to compute diff.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested
N/A
Integration Instructions
N/A
-
cleaning up error in SVN GUID @SochiOgbuanya (#404)
Change Details
## Description
<Include a description of the change and why this change was made.>
Updated the SVN GUID to address #377For details on how to complete these options and their meaning refer to CONTRIBUTING.md.
- [] Impacts functionality? No
- Impacts security? No
- Breaking change? No
- Includes tests? No
- Includes documentation? No
How This Was Tested
No test required
<Describe the test(s) that were run to verify the changes.>Integration Instructions
<Describe how these changes should be integrated. Use N/A if nothing is required.>
</blockquote> <hr> </details>
-
Build: Detect and strip PKCS#7 ContentInfo wrappers in KEK updates @Flickdm (#403)
Change Details
## Description
Some KEK update files are generated with an outer ContentInfo SEQUENCE wrapping the SignedData blob. Older EDK2-based firmware expects raw SignedData directly in WIN_CERTIFICATE_UEFI_GUID.CertData; ContentInfo support was only added recently in:
tianocore/edk2@37d3eb0This is normally because the tool that used wanted to sign it in a "normal" way where the code in UEFI is anything but normal.
If we strip off the ContentInfo(..) we have a greater chance of supporting platforms stuck on older UEFI firmware.
So while not invalid - and for newer machines is fine - older firmware may pose an issue.
For details on how to complete these options and their meaning refer to CONTRIBUTING.md.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested
Tested with a known binary with this issue
KEK Validation Results
⚠️ WARNING:PostSignedObjects/KEK/Test/KEKUpdate_PK_WITH_CONTENT_INFO.bin- Cryptographic Signature: ✅ VALID
- Expected Payload: ✅ True
- ContentInfo Wrapper:
⚠️ Detected
Why this matters: The PKCS#7 signature contains an outer
ContentInfoSEQUENCE
wrapping theSignedData. Older EDK2-based firmware expects rawSignedDatain
WIN_CERTIFICATE_UEFI_GUID.CertDataand will reject the update. Use
scripts/strip_content_info.pyto remove the wrapper before submitting.File Hashes (SHA-256)
PostSignedObjects/KEK/Test/KEKUpdate_PK_WITH_CONTENT_INFO.bin: 7e3f66f80384f26b1a4ff6a45c7aecc28891bf1250adbbc3e76bb73868dd70fcCommand Output
$ python scripts/validate_kek.py "PostSignedObjects/KEK/Test/KEKUpdate_PK_WITH_CONTENT_INFO.bin" -o "kek_validation_results/KEKUpdate_PK_WITH_CONTENT_INFO_validation.json" -q INFO:root:Validating: KEKUpdate_PK_WITH_CONTENT_INFO.bin WARNING:root: [!] ContentInfo wrapper detected in cert_data! INFO:root: Cryptographic Signature: VALID INFO:root: Expected Payload: True INFO:root:Results saved to: kek_validation_results/KEKUpdate_PK_WITH_CONTENT_INFO_validation.jsonPostSignedObjects/KEK/Test/KEKUpdate_PK_WITH_CONTENT_INFO.bin
{ "validation_date": "2026-04-23T00:50:24.707627+00:00", "file": "PostSignedObjects/KEK/Test/KEKUpdate_PK_WITH_CONTENT_INFO.bin", "parameters": { "var_name": "KEK", "var_guid": "8be4df61-93ca-11d2-aa0d-00e098032b8c", "attributes": "NV,BS,RT,AT,AP" }, "result": { "filename": "KEKUpdate_PK_WITH_CONTENT_INFO.bin", "path": "PostSignedObjects/KEK/Test/KEKUpdate_PK_WITH_CONTENT_INFO.bin", "valid": true, "payload_hash_valid": true, "content_info_wrapped": true, "error": null, "warnings": [ "cert_data contains a PKCS#7 ContentInfo wrapper. " ], "details": { "verified": true }, "payload_hash": "5b85333c009d7ea55cbb6f11a5c2ff45ee1091a968504c929aed25c84674962f", "payload_size": 1506 } }Reproduce Locally
pip install -r pip-requirements.txt python scripts/validate_kek.py <path-to-kek-bin-file> -vIntegration Instructions
N/A
-
[Secure Boot KEK Update] Microsoft PK-Signed KEK Update @Flickdm (#399)
Change Details
## OEM Certificate Submission
OEM Name: Microsoft
Contact Email: sbkeyoem@microsoft.comCertificate Details
- Platform Key Thumbprint: b3bd98f4777241d721a96cd584dcb9d4b2098beb269c44442bdf609adce3b6c0
- Expiration Date: [2014-4-24]
The expired certificate is not a problem for firmware.
Testing Completed
- Windows validation (HyperV)
- Linux validation
Security Review
- No known security issues
Additional Notes
When this file was originally created, somehow it generated an invalid signature and would fail when applied.
This was corrected in Windows Update. However, I am publishing that change here to reflect that change.
There were additional changes required to support PK-Signed KEK updates forHyperV that were a part of the March 3B release.
</blockquote> <hr> </details>
-
Fix DBX JSON schema @cjee21 (#381)
Change Details
## Description
PreSignedObjects\DBX\HashesJsonSchema.jsondoes not accurately describePreSignedObjects\DBX\dbx_info_msft_latest.jsonand fails validation. This PR fixes the schema to accurately describe the JSON and enables it to pass validation. The schema is also updated to 2020-12 and format checking is enabled in thevalidate_schemaPython script to validate the format of dates.Also added DBX JSON schema validation to the CI to ensure both
HashesJsonSchema.jsonanddbx_info_msft_latest.jsonwill remain in sync in the future.How This Was Tested
>python -m pip install jsonschema[format] >python scripts\validate_schema.py PreSignedObjects\DBX\dbx_info_msft_latest.json PreSignedObjects\DBX\HashesJsonSchema.json INFO:root:JSON data is valid against the schema. INFO:root:JSON data is valid against the schema.Integration Instructions
N/A
</blockquote> <hr> </details>
-
[Secure Boot KEK Update] Adlink PK-Signed KEK Update @Max-ad-Wu (#392)
Change Details
## OEM Certificate Submission
OEM Name: [Adlink]
Contact Email: [Max.Wu@AdlinkTech.com]Certificate Details
- Platform Key Thumbprint: [e28e3790326abe4f7e5c134532ab036cae8315b56139632022686d43ef538a96]
- Expiration Date: [2037-04-24]
Testing Completed
- Windows validation
- Linux validation
Security Review
- No known security issues
Additional Notes
[None]
-
FEAT: Authenticated Variable Verification and KEK workflow @Flickdm (#385)
Change Details
## Description
Adding a github action to automatically validate KEK submissions and provide feedback if they're invalid
For details on how to complete these options and their meaning refer to CONTRIBUTING.md.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested
Using an Invalid and Valid KEK - that has since been dropped.
Integration Instructions
N/A
-
Group/upload @Flickdm (#383)
Change Details
## Description
Just going ahead and handling this myself. Cleaned up the commits by cherry-picking and dropping the changes to
kek_update_map.jsonand rerunningpython scripts/get_auth_var_signing_certificate.py --directory PostSignedObjects/KEK --output PostSignedObjects/KEK/kek_update_map.json
Covers the following PRs - Once merged these can be closed:
#374
#372
#371For details on how to complete these options and their meaning refer to CONTRIBUTING.md.
- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested
N/A
Integration Instructions
N/A
-
license: Drop prebuilt binaries license in favor of BSD-2-Clause-Patent @chewi (#376)
Change Details
## Description
BSD-2-Clause-Patent now applies to everything in this repository. Microsoft CELA has agreed to this change.
-
[Secure Boot KEK Update] Adlink PK-Signed KEK Update @Max-ad-Wu (#350)
Change Details
## OEM Certificate Submission
OEM Name: [Adlink]
Contact Email: [max.wu@adlinktech.com]Certificate Details
- Platform Key Thumbprint: [d4d9605cfa09c0e87b491e30d597feef99fb069dd5f2b1c1e30165af8c07bb6c]
- Expiration Date: [2043-05-28]
Testing Completed
- Windows validation
- Linux validation
Security Review
- No known security issues
Additional Notes
[None]
🐛 Bug Fixes
-
Fix: Update dbx\_info\_msft\_latest.json to correct incorrect guids @Flickdm (#406)
Change Details
## Description
REF: #377
Specifically, the following guids were incorrect and have been updated to match the correct values:
-"guid": "{e8f82e9d-e127-4158-a488-4c18abe2f284} == EFI_CDBOOT_DBXSVN_GUID",
-"guid": "{c999cac2-7ffe-496f-8127-9e2a8a535976} == EFI_WDSMGR_DBXSVN_GUID",The following guid was previously corrected in #404
-"guid": "{9d132b61-59d5-4388-ab1c-185c3cb2eb92} == EFI_BOOTMGR_DBXSVN_GUID",- Impacts functionality?
- Impacts security?
- Breaking change?
- Includes tests?
- Includes documentation?
How This Was Tested
N/A
Integration Instructions
N/A
Full Changelog: v1.6.4...v1.6.5
What's Changed
- Repo File Sync: Group Dependabot Prs and update to create-github-app-token@v3 by @mu-automation[bot] in #366
- [Secure Boot KEK Update] Adlink PK-Signed KEK Update by @Max-ad-Wu in #350
- GitHub Action: Bump actions/create-github-app-token from 2 to 3 by @dependabot[bot] in #363
- pip: bump the all-pip-dependencies group with 2 updates by @dependabot[bot] in #367
- pip: bump ruff from 0.15.6 to 0.15.7 in the all-pip-dependencies group by @dependabot[bot] in #373
- license: Drop prebuilt binaries license in favor of BSD-2-Clause-Patent by @chewi in #376
- pip: bump cryptography from 46.0.5 to 46.0.6 by @dependabot[bot] in #378
- Repo File Sync: Update to Mu DevOps v18.0.4 by @mu-automation[bot] in #379
- pip: bump the all-pip-dependencies group with 3 updates by @dependabot[bot] in #380
- Group/upload by @Flickdm in #383
- FEAT: Authenticated Variable Verification and KEK workflow by @Flickdm in #385
- GitHub Action: Bump the all-actions-dependencies group with 3 updates by @dependabot[bot] in #386
- Repo File Sync: Repo File Sync: Update workflows to 18.0.5 by @mu-automation[bot] in #387
- Upload: Uploading multiple submissions by @Flickdm in #390
- pip: bump edk2-pytool-library to 0.23.13, regex to 2026.4.4, ruff to 0.15.9 cryptography to 46.0.7 by @dependabot[bot] in #389
- [Secure Boot KEK Update] Adlink PK-Signed KEK Update by @Max-ad-Wu in #392
- Repo File Sync: Update github-script to v9 by @mu-automation[bot] in #395
- pip: bump cryptography from 46.0.6 to 46.0.7 by @dependabot[bot] in #391
- GitHub Action: Update prepare-binaries and validate-kek-updates to use actions/github-script 9, action-gh-release 3 by @dependabot[bot] in #394
- pip: bump ruff from 0.15.9 to 0.15.10 in the all-pip-dependencies group by @dependabot[bot] in #397
- Fix DBX JSON schema by @cjee21 in #381
- [Secure Boot KEK Update] Microsoft PK-Signed KEK Update by @Flickdm in #399
- Build: Detect and strip PKCS#7 ContentInfo wrappers in KEK updates by @Flickdm in #403
- pip: bump ruff from 0.15.10 to 0.15.11 by @dependabot[bot] in #401
- cleaning up error in SVN GUID by @SochiOgbuanya in #404
- pip: bumpruff to 0.15.12, cryptography to 47.0.0 by @dependabot[bot] in #405
- Fix: Update dbx_info_msft_latest.json to correct incorrect guids by @Flickdm in #406
- Repo File Sync: Update mu_devops to v18.0.6 by @mu-automation[bot] in #407
- pip: bump cryptography from 47.0.0 to 48.0.0 in the all-pip-dependencies group by @dependabot[bot] in #408
- Updating High Confidence Buckets for 5B Windows LCU by @SochiOgbuanya in #412
- Addressing missing bucket attribute information in 5B High confidence buckets csv by @SochiOgbuanya in #414
- pip: bump ruff from 0.15.12 to 0.15.13 by @dependabot[bot] in #418
- bump bootmgr SVN to 8 by @olkorsha in #415
- pip: bump ruff from 0.15.13 to 0.15.14 in the all-pip-dependencies group by @dependabot[bot] in #423
- pip: bump ruff from 0.15.14 to 0.15.15 in the all-pip-dependencies group by @dependabot[bot] in #427
- Repo File Sync: update mu_devops to v18.0.7 by @mu-automation[bot] in #435
- pip: bump ruff to 0.15.16, cryptography to 48.0.1 by @dependabot[bot] in #431
- pip: bump ruff to 0.15.17, pytest to 9.1.0, cryptography to 49.0.0 by @dependabot[bot] in #438
- GitHub Action: Bump actions/checkout from 6 to 7 by @dependabot[bot] in #439
- [CVE-2026-8863] bump bootmgfw svn to v9, add 12 new x64 dbx hashes by @olkorsha in #429
- Add 7 additional Microsoft Surface KEK update packages: by @jorticus-msft in #437
- pip: bump edk2-pytool-library to 0.23.15, ruff to 0.15.20, pytest to 9.1.1 by @dependabot[bot] in #441
- Fix bootmgr SVN dateOfLastChange and CVE description (#444) by @Flickdm in #445
- scripts: fix compute_authenticode_hash for unsigned PEs by @jeremy-compostella in #440
New Contributors
- @Max-ad-Wu made their first contribution in #350
- @chewi made their first contribution in #376
- @cjee21 made their first contribution in #381
- @olkorsha made their first contribution in #415
- @jorticus-msft made their first contribution in #437
- @jeremy-compostella made their first contribution in #440
Full Changelog: v1.6.4...v1.6.5