Fwupdmgr offers KEK CA updates from 2011 to 2023

corradoventu · June 25, 2025, 1:40pm

Ubuntu Version: 24.04, 25.04, 25.10

Desktop Environment GNOME

Problem Description: fwupdmgr offers KEK CA updates from 2011 to 2023.
What is KEK CA? what is it needed?
I see several problems regarding this online, I don’t have windows, just multiboot with various versions of Ubuntu and Debian. do I need to update it? Thank you.

Relevant System Information:

corrado@corrado-ns6-qq-0625:~$ inxi -SMxc
System:
  Host: corrado-ns6-qq-0625 Kernel: 6.14.0-15-generic arch: x86_64 bits: 64
    compiler: gcc v: 14.2.0
  Desktop: GNOME v: 48.0 Distro: Ubuntu 25.10 (Questing Quokka)
Machine:
  Type: Desktop System: ASUS product: N/A v: N/A serial: <superuser required>
  Mobo: ASUSTeK model: PRIME H610M-E D4 v: Rev 1.xx
    serial: <superuser required> UEFI: American Megatrends v: 1402
    date: 04/01/2022
corrado@corrado-ns6-qq-0625:~$

Screenshots or Error Messages:

corrado@corrado-ns6-qq-0625:~$ fwupdmgr update     
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade KEK CA from 2011 to 2023?                                            ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ This updates the UEFI Signature Database (the "KEK") to the latest release   ║
║ from Microsoft, signed by ASUSTeK MotherBoard PK Certificate.                ║
║                                                                              ║
╚══════════════════════════════════════════════════════════════════════════════╝
Perform operation? [Y|n]: n
Devices with the latest available firmware version:
 • UEFI dbx
Devices with no available firmware updates: 
 • ASUSTeK KEK Certificate
 • ASUSTeK SW Key Certificate
 • CT500MX500SSD1
 • CT500MX500SSD1
 • DT01ACA100
 • KBG40ZNV256G KIOXIA
 • KINGSTON SKC2000M8250G
 • Master Certificate Authority
 • Master Certificate Authority
 • System Firmware
 • UEFI CA
 • UEFI Device Firmware
 • UEFI Device Firmware
 • Windows Production PCA
corrado@corrado-ns6-qq-0625:~$

benshalom · June 26, 2025, 10:01pm

I also need to know the answer to this. I have no windows partition and never chose to encrypt my disk, but gnome-shell keeps bugging me that I must update kek ca. However, I need to insert a recovery key in order to do this - and I do not have one, nor do I know how to find it.

corradoventu · June 27, 2025, 10:24am

Today on Questing i see discording messages from fwupdmgr update and ‘Firmware Updater’ app:

should i open a bug?
thanks

ogra · June 27, 2025, 10:41am

When your system has secure boot functionality in its UEFI (pretty much every modern x86 system), the UEFI manages the keys used for signing things…

There is the PK (Platform Key) that the hardware manufacturer put into the system on a hardware level …

On top of this sits a “Key Enrollment Key” (KEK) that an OEM puts in place (usually a Microsoft key, but Canonical has such keys too that it puts in place on devices that come with Ubuntu pre-installed (or that Ubuntu enterprise customers put in place when they do not want to trust MS)). That KEK is then used for signing/enrolling other key pairs that can be managed in the " Allowed Signature Database (DB)" and " “Disallowed Signature Database (DBX)” which define what code can be executed by the UEFI before booting

The DB and respectively the DBX hold certificates that validate and invalidate the keys in use, these certs need to be regularly updated …

Security certificates usually have an expiry date so even if they are not accidentally leaked and revoked due to that they need to be replaced eventually since usually certificates are not valid forever on purpose.

The MS KEK key certs from 2011 are expiring this month and need to be replaced by new ones …

system · June 30, 2025, 10:41am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.