v1.5.1-signed

TLDR

⚠️ IMPORTANT

• Signed DBX and Revocations have been updated to include the revocations for DtBios* - see #214
• Template support was added to add additional templates that a platform can use to customize the template they require
• Release 1.5.0 failed due to a expired token. This was fixed in #219 however the tags were left behind - see #218

What's Changed

• pip: bump ruff from 0.9.6 to 0.9.7 by @dependabot in #172
• pip: bump edk2-pytool-extensions from 0.28.2 to 0.28.3 by @dependabot in #173
• Update the Readme by @Flickdm in #179
• pip: bump edk2-pytool-extensions from 0.28.3 to 0.28.5 by @dependabot in #177
• pip: bump pytest from 8.3.4 to 8.3.5 by @dependabot in #176
• pip: bump ruff from 0.9.7 to 0.9.9 by @dependabot in #175
• pip: bump ruff from 0.9.9 to 0.11.0 by @dependabot in #184
• Publishing Script to make 2023 Boot Media from existing ISOs by @Flickdm in #183
• RustToolChain: Bump RustToolChain from 1.80 to 1.84. by @uefibot in #187
• Repo File Sync: synced file(s) with microsoft/mu_devops by @uefibot in #190
• Clean up SecureBoot Schema and Revocation JSON by @Flickdm in #191
• pip: bump ruff from 0.11.2 to 0.11.4 by @dependabot in #192
• Basic powershell installation script for installing Secure Boot Keys by @Flickdm in #193
• Secure Boot Default Templates by @Flickdm in #174
• pip: bump ruff from 0.11.4 to 0.11.5 by @dependabot in #194
• pip: bump ruff from 0.11.4 to 0.11.6 by @dependabot in #197
• Repo File Sync: synced file(s) with microsoft/mu_devops by @mu-automation in #202
• pip: bump ruff from 0.11.6 to 0.11.7 by @dependabot in #201
• Update templates by @Flickdm in #199
• pip: bump ruff from 0.11.7 to 0.11.8 by @dependabot in #204
• Secure Boot Kek Update Files by @Flickdm in #195
• pip: bump ruff from 0.11.8 to 0.11.9 by @dependabot in #205
• pip: bump ruff from 0.11.9 to 0.11.10 by @dependabot in #206
• pip: bump ruff from 0.11.10 to 0.11.11 by @dependabot in #207
• Synced yml file(s) with microsoft/mu_devops, updated rust toolchain version and edition by @mu-automation in #208
• Repo File Sync: Update mu_devops workflow tags to 15.0.1 by @mu-automation in #209
• pip: bump ruff from 0.11.11 to 0.11.12 by @dependabot in #212
• pip: bump pytest from 8.3.5 to 8.4.0 by @dependabot in #211
• Updating DBX update package with the latest revocations by @SochiOgbuanya in #214
• Keep LegacyFirmwareDefaults.toml around for legacy firmware builds by @Flickdm in #213
• Update non-Default GitHub token usage to Mu GitHub app by @apop5 in #219

New Contributors

• @mu-automation made their first contribution in #202
• @apop5 made their first contribution in #219

Full Changelog: v1.4.0-signed...v1.5.1-signed

v1.5.1

TLDR

⚠️ IMPORTANT

• Signed DBX and Revocations have been updated to include the revocations for DtBios* - see #214
• Template support was added to add additional templates that a platform can use to customize the template they require
• Release 1.5.0 failed due to a expired token. This was fixed in #219 however the tags were left behind - see #218

What's Changed

• pip: bump ruff from 0.9.6 to 0.9.7 by @dependabot in #172
• pip: bump edk2-pytool-extensions from 0.28.2 to 0.28.3 by @dependabot in #173
• Update the Readme by @Flickdm in #179
• pip: bump edk2-pytool-extensions from 0.28.3 to 0.28.5 by @dependabot in #177
• pip: bump pytest from 8.3.4 to 8.3.5 by @dependabot in #176
• pip: bump ruff from 0.9.7 to 0.9.9 by @dependabot in #175
• pip: bump ruff from 0.9.9 to 0.11.0 by @dependabot in #184
• Publishing Script to make 2023 Boot Media from existing ISOs by @Flickdm in #183
• RustToolChain: Bump RustToolChain from 1.80 to 1.84. by @uefibot in #187
• Repo File Sync: synced file(s) with microsoft/mu_devops by @uefibot in #190
• Clean up SecureBoot Schema and Revocation JSON by @Flickdm in #191
• pip: bump ruff from 0.11.2 to 0.11.4 by @dependabot in #192
• Basic powershell installation script for installing Secure Boot Keys by @Flickdm in #193
• Secure Boot Default Templates by @Flickdm in #174
• pip: bump ruff from 0.11.4 to 0.11.5 by @dependabot in #194
• pip: bump ruff from 0.11.4 to 0.11.6 by @dependabot in #197
• Repo File Sync: synced file(s) with microsoft/mu_devops by @mu-automation in #202
• pip: bump ruff from 0.11.6 to 0.11.7 by @dependabot in #201
• Update templates by @Flickdm in #199
• pip: bump ruff from 0.11.7 to 0.11.8 by @dependabot in #204
• Secure Boot Kek Update Files by @Flickdm in #195
• pip: bump ruff from 0.11.8 to 0.11.9 by @dependabot in #205
• pip: bump ruff from 0.11.9 to 0.11.10 by @dependabot in #206
• pip: bump ruff from 0.11.10 to 0.11.11 by @dependabot in #207
• Synced yml file(s) with microsoft/mu_devops, updated rust toolchain version and edition by @mu-automation in #208
• Repo File Sync: Update mu_devops workflow tags to 15.0.1 by @mu-automation in #209
• pip: bump ruff from 0.11.11 to 0.11.12 by @dependabot in #212
• pip: bump pytest from 8.3.5 to 8.4.0 by @dependabot in #211
• Updating DBX update package with the latest revocations by @SochiOgbuanya in #214
• Keep LegacyFirmwareDefaults.toml around for legacy firmware builds by @Flickdm in #213
• Update non-Default GitHub token usage to Mu GitHub app by @apop5 in #219

New Contributors

• @mu-automation made their first contribution in #202
• @apop5 made their first contribution in #219

Full Changelog: v1.4.0...v1.5.1

v1.4.0-signed

(Runtime) Official Signed Microsoft Secure Boot payloads

Operating systems or systems where secure boot is enabled, may use these binaries to update Secure Boot

TLDR

⚠️ IMPORTANT

There was a decision to remove all Windows hashes from the DBX in the previous release to save space in flash since revoking by certificate is the recommended method of revocation for complete protection against Black Lotus.

While a valid decision, to prevent against confusion and regression for users who are not aware of this change, the Windows hashes will be re-included in the signed DBX update files.

For easy verification either compare the revocation list against the receipts or compare the firmware payloads receipt (or binary file) against the signed version to see the only additional data is the signature. The hashes are as expected.

Please visit our wiki and Manufacturing and Operationing System Instructions for more information

What's Changed

• pip: bump edk2-pytool-extensions from 0.28.0 to 0.28.2 by @dependabot in #166
• pip: bump ruff from 0.9.3 to 0.9.6 by @dependabot in #165
• Adding receipts for the firmware binaries by @Flickdm in #169
• Updates DBX signed binaries to re-include windows hashes by @Flickdm in #170
• Adding versioning rules by @Flickdm in #171

Full Changelog: v1.3.1-signed...v1.4.0-signed

v1.4.0

(Firmware) Official Microsoft Unsigned Secure Boot Payloads

These binaries may be used in a firmware environment where Secure Boot is in SETUP mode and the firmware has direct access to write to the UEFI Variables.

TLDR

This release does not include additional hashes but is being made to keep in lock step with the signed payloads.
This release does add additional receipts to each payload for easy verification.

Please visit our wiki and Manufacturing and Operationing System Instructions for more information

What's Changed

• pip: bump edk2-pytool-extensions from 0.28.0 to 0.28.2 by @dependabot in #166
• pip: bump ruff from 0.9.3 to 0.9.6 by @dependabot in #165
• Adding receipts for the firmware binaries by @Flickdm in #169
• Updates DBX signed binaries to re-include windows hashes by @Flickdm in #170
• Adding versioning rules by @Flickdm in #171

Full Changelog: v1.3.1...v1.4.0

v1.3.1-signed

(Runtime) Official Signed Microsoft Secure Boot payloads

Operating systems or systems where secure boot is enabled, may use these binaries to update Secure Boot

TLDR

⚠️ IMPORTANT

There was a decision to remove all Windows hashes from this release to save space in flash since revoking by certificate is the recommended method of revocation for complete protection against Black Lotus.

It is not recommend to use these binaries. See #170.

What's Changed

• pip: bump ruff from 0.9.1 to 0.9.2 by @dependabot in #153
• Edited Limited Liability License by @Flickdm in #155
• pip: bump ruff from 0.9.2 to 0.9.3 by @dependabot in #159
• Repo File Sync: Update to Mu DevOps 13.0.0 by @uefibot in #160
• Update Releases to included Signed Payloads by @Flickdm in #163
• Add JSON Receipt to each signed payload to validate the contents by @Flickdm in #164

Full Changelog: v1.3.0...v1.3.1-signed

v1.3.1

(Firmware) Official Microsoft Unsigned Secure Boot Payloads

These binaries may be used in a firmware environment where Secure Boot is in SETUP mode and the firmware has direct access to write to the UEFI Variables.

These files are the equivalent of using the Split-Dbx.ps1 script on a signed version

What's Changed

• pip: bump ruff from 0.9.1 to 0.9.2 by @dependabot in #153
• Edited Limited Liability License by @Flickdm in #155
• pip: bump ruff from 0.9.2 to 0.9.3 by @dependabot in #159
• Repo File Sync: Update to Mu DevOps 13.0.0 by @uefibot in #160
• Update Releases to included Signed Payloads by @Flickdm in #163
• Add JSON Receipt to each signed payload to validate the contents by @Flickdm in #164

Full Changelog: v1.3.0...v1.3.1

v1.3.0

What's Changed

• Repo File Sync: Update to Mu DevOps v12.4.0 by @uefibot in #147
• pip: bump ruff from 0.8.4 to 0.8.6 by @dependabot in #149
• pip: bump edk2-pytool-library from 0.22.3 to 0.22.5 by @dependabot in #150
• pip: bump ruff from 0.8.6 to 0.9.1 by @dependabot in #151
• Update Secure Boot Objects for Patch Tuesday 1/14/25 by @Flickdm in #152

Full Changelog: v1.2.0...v1.3.0

v1.2.0

Most Important changes

• Adds support for 'signed' secureboot files that may be used during manufacturing by @Flickdm in #111
• DBX Update: dbx_info_msft_1_6_25.csv by @Flickdm in #148

1. Previously hashes that would have been revoked by cert were removed, those are being readded
2. Describing additional hashes that should be publically documented
3. Removed 1 invalid hash

Total changes to the DBX: 33

CSV's may be diffed to see exact changes.
 

What's Changed

• pip: bump ruff from 0.5.4 to 0.5.5 by @dependabot in #110
• pip: bump pytest from 8.3.1 to 8.3.2 by @dependabot in #109
• pip: bump edk2-pytool-library from 0.21.8 to 0.21.9 by @dependabot in #108
• Adds support for 'signed' secureboot files that may be used during manufacturing by @Flickdm in #111
• pip: bump ruff from 0.5.5 to 0.5.6 by @dependabot in #112
• pip: bump edk2-pytool-library from 0.21.9 to 0.21.10 by @dependabot in #113
• pip: bump ruff from 0.5.6 to 0.5.7 by @dependabot in #114
• pip: bump edk2-pytool-extensions from 0.27.10 to 0.27.11 by @dependabot in #115
• pip: bump ruff from 0.5.7 to 0.6.1 by @dependabot in #116
• pip: bump ruff from 0.6.1 to 0.6.2 by @dependabot in #117
• pip: bump ruff from 0.6.2 to 0.6.3 by @dependabot in #118
• pip: bump edk2-pytool-extensions from 0.27.11 to 0.27.12 by @dependabot in #119
• pip: bump ruff from 0.6.3 to 0.6.4 by @dependabot in #120
• pip: bump pytest from 8.3.2 to 8.3.3 by @dependabot in #121
• pip: bump ruff from 0.6.4 to 0.6.5 by @dependabot in #123
• pip: bump edk2-pytool-library from 0.21.10 to 0.21.11 by @dependabot in #122
• Repo File Sync: Update Mu DevOps version by @uefibot in #124
• pip: bump ruff from 0.6.5 to 0.6.7 by @dependabot in #125
• pip: bump ruff from 0.6.7 to 0.6.8 by @dependabot in #126
• pip: bump edk2-pytool-library from 0.21.11 to 0.21.12 by @dependabot in #127
• pip: bump ruff from 0.6.8 to 0.6.9 by @dependabot in #128
• pip: bump edk2-pytool-library from 0.21.12 to 0.22.0 by @dependabot in #129
• pip: bump ruff from 0.6.9 to 0.7.0 by @dependabot in #131
• Repo File Sync: synced file(s) with microsoft/mu_devops by @uefibot in #133
• pip: bump edk2-pytool-library from 0.22.0 to 0.22.2 by @dependabot in #132
• pip: bump edk2-pytool-extensions from 0.27.12 to 0.28.0 by @dependabot in #130
• pip: bump ruff from 0.7.0 to 0.7.1 by @dependabot in #134
• pip: bump ruff from 0.7.1 to 0.7.2 by @dependabot in #135
• pip: bump ruff from 0.7.2 to 0.7.3 by @dependabot in #136
• pip: bump ruff from 0.7.3 to 0.7.4 by @dependabot in #139
• pip: bump ruff from 0.7.4 to 0.8.0 by @dependabot in #140
• pip: bump edk2-pytool-library from 0.22.2 to 0.22.3 by @dependabot in #141
• pip: bump pytest from 8.3.3 to 8.3.4 by @dependabot in #143
• pip: bump ruff from 0.8.0 to 0.8.1 by @dependabot in #142
• pip: bump ruff from 0.8.1 to 0.8.3 by @dependabot in #145
• pip: bump ruff from 0.8.3 to 0.8.4 by @dependabot in #146
• DBX Update: dbx_info_msft_1_6_25.csv by @Flickdm in #148

Full Changelog: v1.1.3...v1.2.0

v1.1.3

What's Changed

⚠️ This release is missing expected hashes. Machines that are updated via the OS are not at any additional risk. However, if the machine does not periodically update the DBX then it will be at risk.

• Updating Presigned objects folder @SochiOgbuanya (#107)
  
  Change Details

    Added the new Microsoft Option ROM CA 2023 to the DB in the presigned folder.

  ---

• Adding a Signed folder and optional folder for DBX2024 and DB2024 update packages @SochiOgbuanya (#83)
  
  Change Details

    The signed folder contains signed versions of the contents in keystore folder plus the DBX2024 and DB2024 update packages with guidance on how to apply both changes to devices.

  Please review the localized readme file and the contents of each folder.

    </blockquote>
    <hr>
  </details>
  

• Reorganizing Secure Boot Repo @Flickdm (#84)
  
  Change Details

    This reorganizes the folder structure to prepare for Signed Objects

  1. keystore.toml was renamed to FirmwareDefaults.toml
  2. Created two new folders PreSignedObjects, and PostSignedObjects
     • PreSignedObjects now represents Objects that may exist in your Secure Boot Configuration
     • PostSignedObjects now represents Signed Objects from Microsoft that will map to the PreSignedObjects
  3. All Existing Objects were moved

  This should not be a breaking change. However Breaking changes are likely to come in follow up commits.
  

  
  

  ---

  
  

Full Changelog: v1.1.2...v1.1.3

v1.1.2

What's Changed

• Update the signature owner by keystore entry instead of defaulting to the Microsoft signature owner @Flickdm (#65)
  
  Change Details

    Previously, there was no effective way to override the signature owner guid for any of the entries in the keystore.toml.

  This change allows a user to change the signature_owner per entry such as if a user of this script wishes to add their own certificate.
  For example a user may now add their own custom certificate and specify their own guid:

  ############################
  # Default Kek File Entries #
  ############################
  [DefaultKek]
  help = "Contains the Microsoft KEKs to enable signature database updates and binary execution."
  
  [[DefaultKek.files]]
  path = "keystore/Kek/MicCorKEKCA2011_2011-06-24.der"
  url = "https://go.microsoft.com/fwlink/?LinkId=321185"
  sha1 = 0x31590bfd89c9d74ed087dfac66334b3931254b30
  signature_owner = "77fa9abd-0359-4d32-bd60-28f4e78f784b"
  
  [[DefaultKek.files]]
  path = "keystore/Kek/microsoft corporation kek 2k ca 2023.der"
  url = "https://go.microsoft.com/fwlink/?linkid=2239775"
  sha1 = 0x459ab6fb5e284d272d5e3e6abc8ed663829d632b
  signature_owner = "77fa9abd-0359-4d32-bd60-28f4e78f784b"
  
  [[DefaultKek.files]]
  path = "keystore/Kek/my_custom_kek_certificate.der"
  sha1 = 0xadd9ea3b9077aab54e55ef51ddb65c9a35db81ac
  signature_owner = "12345678-ABCD-EF01-2345-6789ABCDEF01"

    </blockquote>
    <hr>
  </details>
  

🐛 Bug Fixes

• Readme.md: Fix SecureBootKeyStoreLib link @makubacki (#47)
  
  Change Details

    Fixes #46

  Updates the link to use new location in Mu Plus instead of the old
  location in Mu OEM Sample.
  

  
  

  ---

  
  

Full Changelog: v1.1.1...v1.1.2