Secure Boot certificate updates for Linux on Azure virtual machines (original) (raw)

Applies To

Virtual Machine running Linux

Original publish date: June 12, 2026

KB ID: 5103014

In this article

• Introduction
• Identify scenarios that require action
• Azure guest VM considerations
  • Actions required
  • Deploy updates
    * Recommendations from Linux OS vendors
    * Recommendations by Azure for Confidential VMs
  • Firmware update methods
  • Verification methods
  • Linux boot chain update
  • Other Azure resource considerations
  • Monitor update status
• Mitigation steps in case of boot failures

Introduction

Secure Boot is a UEFI firmware security feature that helps ensure that only trusted, digitally signed software runs during the VM boot sequence. Microsoft Secure Boot certificates issued in 2011 begin expiring in June 2026.

To maintain Secure Boot protection and continued servicing of the early boot process, Azure Trusted Launch running Linux must be updated with Secure Boot 2023 db and KEK certificates in virtual UEFI firmware. Confidential Virtual Machines for Linux on Azure with old certificates must be recreated.

If a VM continues to rely on the 2011 certificates after expiration, it will continue to boot. However, it will no longer receive new security protections in the form of shim updates and future certificates and revocations.

Identify scenarios that require action

Review the following scenarios to determine whether action is required:

• Linux Trusted Launch VMs (TVM) or Confidential VMs (CVM) created prior to April 2024
• Azure Compute Gallery images captured from older (pre-April 2024) Linux Trusted Launch or Confidential VMs
• Snapshots or backups of Linux Trusted Launch or Confidential VMs created prior to April 2024
• Confidential VMs created pre- April 2024 from blobs, imported as secure disk.

Trusted Launch and Confidential Virtual Machines created after April 2024 typically already include Secure Boot 2023 certificates in virtual UEFI firmware.

Note: Linux Confidential VMs created prior to April 2024 should not be manually updated since the Confidential Disk Encryption relies on PCR7 value of the vTPM which is calculated based on the secure boot variables. Updating the secure boot certificates without ensuring FDE key re-sealing will cause the confidential VM to go in recovery mode. It is recommended to recreate such old confidential VMs to get the new certificates.

Azure guest VM considerations

Secure Boot updates for Linux on Azure VMs involve two components:

• Secure Boot certificates in virtual firmware (installed manually via OS provided tooling or automatically via Security updates)
• Linux shim and bootloader updates (distro vendor managed)

Update operations are initiated from within the guest operating system and rely on platform support to apply authenticated updates to Secure Boot variables.

After identifying applicable scenarios, inventory your environment to determine which VMs require updates.

Actions required

For all Azure guest VMs:

• Verify whether Secure Boot 2023 certificates are present in virtual UEFI firmware

For Trusted Launch VMs:

• Initiate updates from within the Linux guest VM operating system where required according to your distro vendor’s recommended guidance and tools.
• For Linux VMs, updates must be applied in the correct order.
  Important: Always update Secure Boot firmware (UEFI variables) before updating shim or bootloader.
• Updating the shim before updating the firmware first may result in a boot failure.

For Confidential VMs:

• Most Confidential VMs have the new certificates already. For Confidential VMs without Secure Boot 2023 certificates present, follow the guidance below in the section, ​​​​​​​Recommendations by Azure for Confidential VMs.

Deploy updates

Secure Boot certificate updates for Linux on Azure VMs are initiated from within the guest operating system. These updates differ by distro vendors, and customers should check with their distro vendor first on the recommended method.

Recommendations from Linux OS vendors:

• UEFI Secure Boot: Microsoft 2023 Certificate Transition | AlmaLinux Wiki
• SecureBoot/CAChanges - Debian Wiki
• Microsoft UEFI CA rotation: What it means for Ubuntu users and vendors - Ubuntu Community Hub

Recommendations by Azure for Confidential VMs:

• The number of CVMs created pre-April 2024 is very low. If your Confidential VM is one of the few that does not have the new certificates, follow steps to recreate the CVM.

Firmware update methods

Note: Before trying the UEFI variable updates directly on production VMs, customers can utilize the Azure quick start template to simulate the Linux Trusted Launch VM with older 2011 UEFI CA certificates.

Using fwupd

Ensure that the VM has fwupd version 2.0.8 or later installed.

To update both KEK and db, run these commands with fwupdmgr:

sudo fwupdmgr refresh

sudo fwupdmgr update

Using efitools

Download db and KEK update packages for Azure.

• wget https://github.com/microsoft/secureboot\_objects/raw/refs/heads/main/ \
  PostSignedObjects/Optional/DB/amd64/DBUpdate3P2023.bin
• wget https://github.com/microsoft/secureboot\_objects/raw/refs/heads/main/ \
  PostSignedObjects/KEK/Microsoft/KEKUpdate_Microsoft_PK1.bin

Use efi-updatevar to install the update packages

sudo efi-updatevar -a -f DBUpdate3P2023.bin db

sudo efi-updatevar -a -f KEKUpdate_Microsoft_PK1.bin KEK

sudo reboot

Using sbsigntools

Download db and KEK update packages for Azure.

wget https://github.com/microsoft/secureboot\_objects/raw/refs/heads/main/ \

PostSignedObjects/Optional/DB/amd64/DBUpdate3P2023.bin

wget https://github.com/microsoft/secureboot\_objects/raw/refs/heads/main/ \

PostSignedObjects/KEK/Microsoft/KEKUpdate_Microsoft_PK1.bin

Use sbkeysync utility of sbsigntools to install the update packages:

sudo mkdir -p /etc/secureboot/keys/db

sudo cp DBUpdate3P2023.bin /etc/secureboot/keys/db

sudo mkdir -p /etc/secureboot/keys/KEK

sudo cp KEKUpdate_Microsoft_PK1.bin /etc/secureboot/keys/KEK

sudo chattr -i /sys/firmware/efi/efivars/db-*

sudo chattr -i /sys/firmware/efi/efivars/KEK-*

sudo sbkeysync --verbose

sudo chattr +i /sys/firmware/efi/efivars/db-*

sudo chattr +i /sys/firmware/efi/efivars/KEK-*

sudo reboot

Verification methods

Using mokutil

• mokutil --db | grep "UEFI CA 2023"
• mokutil --kek | grep "KEK 2K CA 2023"

Using efitools

• efi-readvar -v db | grep "UEFI CA 2023"
• efi-readvar -v KEK | grep "KEK 2K CA 2023"
• ​​​​​​​​​​​​​​

Linux boot chain update

After the successful firmware update, it is safe to apply shim updates from the Linux distribution vendors.

Other Azure resources considerations

Monitor update status

Verify updates through the guest OS:

• Validate successful boot after updates
• Confirm Secure Boot certificates are present in firmware

Monitoring and validation approaches may vary by Linux distribution, and you should check with your distribution vendor.

Mitigation steps in case of boot failures

In case of a failure scenario such as boot failure after UEFI variable update, you can reset the UEFI settings using one of the below methods:

1. Restore the backup taken before starting the manual update process.
2. Convert Trusted Launch VM to Standard VM and re-apply Trusted Launch security type on the VM. (More details here: Enable Trusted launch on existing Gen2 VMs - Azure Virtual Machines | Microsoft Learn)
3. Export the OS vhd to a storage account, create a gallery image from the vhd and deploy the VM using gallery image version.

​​​​​​​​​​​​​​Third-party information disclaimer

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. We make no warranty, implied or otherwise, about the performance or reliability of these products.

We provide third-party contact information to help you find technical support. This contact information may change without notice. We do not guarantee the accuracy of this third-party contact information.

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.