In previous Microsoft Secure Boot AMAs, it was mentioned that we can update the KEK and DB variables with new certificates even after the 2011 certificates expire in June 2026. However, I'm a bit confused about how this can be done. If the KEK needs to sign updates to the DB and the 2011 KEK cert has expired (but not revoked), how is the KEK supposed to sign requests to add new 2023 certs to the DB? Can someone help clarify this for me?
1 Answer
From what I understand, expiration dates aren't really checked at that level. If something is signed, it's considered valid. This applies to Windows kernel drivers too; they can still load even if the signature is from a certificate that expired ages ago as long as it was signed properly.
Do you have any documentation to back this up? It seems logical, otherwise the bootloader would stop working right after the 2011 certs expire.