Secure boot certificates (2023 CA) for Azure Linux VM's?

ganrad 0 Reputation points Microsoft Employee

Should secure boot certificates (2023 CA & KEK) need to be applied manually to Azure Linux VM's or would these be applied automatically?

This pertains to security advisory with tracking ID: SQG4-QKG

If the certs have to be applied manually, should the instructions described in this article be followed?

https://support.microsoft.com/en-us/topic/secure-boot-certificate-updates-for-linux-on-azure-virtual-machines-df51ba85-4e1e-4eda-b1d8-f0881970e997#bkmk_deploy

Thanks.

  1. Hemalatha 14,525 Reputation points Microsoft External Staff Moderator

    Hello ganard,

    Thank you for reaching out Q/A regarding security advisory SQG4-QKG and the Secure Boot 2023 CA and KEK certificate updates for Azure Linux Virtual Machines.

    Whether action is required depends on the VM type and when it was created.

    Linux Trusted Launch and Confidential VMs created after April 2024 already include the Secure Boot 2023 certificates in their virtual UEFI firmware. No action is required for these VMs.

    Linux Trusted Launch VMs (TVMs) created before April 2024 do not receive the certificate update automatically. We recommend verifying whether the 2023 certificates are already present in your VM's virtual UEFI firmware. If they are not, please follow Microsoft's step-by-step guidance to apply the update manually. One important note: always update the Secure Boot firmware certificates before updating the shim or bootloader — doing it in the wrong order may cause boot failures.

    Linux Confidential VMs (CVMs) created before April 2024 should not be updated manually. Because Confidential Disk Encryption relies on vTPM measurements tied to Secure Boot variables, manually updating the certificates can cause the VM to enter recovery mode. Microsoft's recommendation in this case is to recreate the VM, which will provision it with the updated certificates automatically.

    Reference:

    Secure Boot certificate updates for Linux on Azure virtual machines

    Secure Boot update from 2011 to 2023 certificates: Trusted Launch VMs (TVM) and Confidential VMs (CVM)

    Trusted Launch for Azure virtual machines

Sign in to comment

Answer accepted by question author

Jose Benjamin Solis Nolasco 8,561 Reputation points Volunteer Moderator

Welcome to Microsoft Q&A

Hello @ganrad I hope you are doing well,

To directly answer your questions: For existing, long-running Azure Linux Virtual Machines, the 2023 Secure Boot certificates (CA and KEK) are not applied automatically by the Azure platform. You must deploy them manually from within the guest operating system. Because Azure Trusted Launch and Gen2 VMs expose the virtualized UEFI firmware directly to the guest OS, Microsoft treats the update of these cryptographic variables as a customer-managed OS-level operation. While Azure updates the default virtual motherboard templates so that newly deployed VMs include the 2023 certificates by default, running VMs retain their original 2011 certificates until explicitly updated by the administrator.

Regarding the documentation: Yes, the article you referenced (Secure Boot certificate updates for Linux on Azure virtual machines) is the authoritative, supported guide for this procedure. You should follow the exact steps outlined there, utilizing tools like fwupdmgr or efi-updatevar to push the signed .auth payloads into the EFI variable store.

""""""""""""""""""""""""""""""""""""Crucial architectural note: If you are running Linux Confidential VMs (CVMs) deployed prior to April 2024 with Full Disk Encryption tied to the vTPM, do not run this manual update. Modifying the Secure Boot DB will alter PCR7 measurements, which will break the disk decryption seal on the next reboot. For those specific legacy CVMs, the supported path is to recreate the VM entirely rather than attempting an in-place certificate swap.""""""""""""""""""""""""""""

Important caveats and safety notes

Do not perform the update on certain legacy Confidential VMs (CVMs) or VMs with Full Disk Encryption tied to vTPM if the vendor guidance warns against it. Updating DB/KEK changes PCR measurements and can break disk decryption on reboot. For those VMs the supported path may be to recreate the VM with updated firmware.

Test first on a non‑production VM that mirrors your production configuration.

Back up any critical data and snapshots before changing EFI variables.

  • Use only signed .auth payloads provided by Microsoft’s guidance; do not craft unsigned payloads.

If my answer helped you resolve your issue, please consider marking it as the correct answer. This helps others in the community find solutions more easily. Thanks!

0 comments No comments
Sign in to comment

1 additional answer

  1. AI answer

    For Azure Linux virtual machines that use Secure Boot, the new 2023 Secure Boot certificate authorities (CAs) and KEK must be present in the VM’s Secure Boot firmware variables before the 2011 certificates start expiring in June 2026.

    From the provided guidance:

    • Secure Boot certificates are time‑limited and must be refreshed to the 2023 CAs before the 2011 CAs expire, otherwise new Secure Boot and Boot Manager protections and mitigations can no longer be applied and boot security is compromised.
    • In virtualized environments, there are two ways the new certificates can be added:
      1. The virtual environment provider (such as Azure) can update the virtualized firmware so new VMs start with the updated certificates.
      2. For long‑running VMs, the certificates can be applied through the guest OS (if the virtualized firmware supports Secure Boot updates), using the published deployment guidance.

    Because of this, Azure may provide updated virtual firmware for new Linux VMs, but long‑running Secure Boot–enabled Linux VMs should be treated as customer/IT‑managed systems. For those, the Secure Boot certificate updates need to be applied via the OS following Microsoft’s published Secure Boot update guidance for Linux on Azure VMs.

    The general Microsoft guidance for Secure Boot certificate expiration and CA updates makes clear that both the Secure Boot DB and KEK must be updated to the 2023 versions on devices that will continue to rely on Secure Boot protections. For Linux on Azure VMs, the referenced article with deployment instructions is the correct path to follow when manual deployment is required.

    In practice, this means:

    • For new Azure Linux VMs created after Azure updates its virtual firmware, the 2023 CAs may be present automatically.
    • For existing Secure Boot–enabled Azure Linux VMs that will remain in service, follow the Linux‑specific Secure Boot certificate deployment guidance (as in the article referenced in the question) to ensure the 2023 CA and KEK are applied before the 2011 certificates expire.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.
Sign in to answer

Your answer