wimboot icon indicating copy to clipboard operation
wimboot copied to clipboard
verified publisher icon ipxe

Wimboot v2.8.0 certificate expired

Open skyblaster opened this issue 1 year ago • 5 comments

Looks like the cert expired on 2024-10-16. Hopefully it's not too long of a process to renew.

EDIT: My apologies, it's the "Microsoft Windows UEFI Driver Publisher" cert that has expired.

skyblaster avatar Nov 23 '24 21:11 skyblaster

What issues are you seeing? I have not verified the details, but certificates for codesigning only have to be valid at the time of signing, as long as the signing timestamp is included, this is done by Microsoft, so it would be a horrible oversight if they missed that.

As such, even if any part of the chain is now after the NotAfter timestamp, it shouldn't be relevant.

NiKiZe avatar Nov 23 '24 22:11 NiKiZe

False alarm. My issue is with Hyper-V where I see the following: image

On a Lenovo X390, I was able to boot the same boot.wim successfully.

skyblaster avatar Nov 23 '24 23:11 skyblaster

In the image from my last comment I was attempting to use the "Microsoft UEFI Certificate Authority" template in Hyper-V.

If I attempt to use the "Microsoft Windows" template, I see the following error instead:

Image

If I boot the ISO where I extracted my boot.wim (taking wimboot out of the equation) it boots successfully.

Here is the list of Secure Boot certs in Hyper-V:

PK:
CN=Microsoft Hyper-V Firmware PK, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

KEK:
CN=Microsoft Corporation KEK CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US

DB:
CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US

wimboot 2.8.0 was signed by the UEFI CA 2011 cert: Image

I could be wrong, but I believe this means that wimboot will need to be signed with the new 2023 CA. both for Hyper-V and for devices with the BlackLotus mitigation applied.

skyblaster avatar Feb 10 '25 00:02 skyblaster

could it be, that because of that im not able to use a freshly installed netboot.xyz installation with windows boot? it downloaded the 2.0.87 version and im able to download it but im not able to verify it.

Image

Xyz00777 avatar Jul 09 '25 15:07 Xyz00777

For the original issue here, how do you @skyblaster get into booting wimboot? Unless any part of the chain has been revoked, wimboot signing is not the issue.

For @Xyz00777 what does the ipxe.org url say? since we don't know what your script contains, or what the sig is for, we can't say much. But since this is netboot.xyz maybe check their repo instead?

NiKiZe avatar Jul 09 '25 16:07 NiKiZe