Skip to content

secureboot: rotate bundled enrollment keys from ghaf-infra-pki#1781

Merged
brianmcgillion merged 1 commit intotiiuae:mainfrom
vadika:feature/rotate-secureboot-keys
Feb 26, 2026
Merged

secureboot: rotate bundled enrollment keys from ghaf-infra-pki#1781
brianmcgillion merged 1 commit intotiiuae:mainfrom
vadika:feature/rotate-secureboot-keys

Conversation

@vadika
Copy link
Copy Markdown
Contributor

@vadika vadika commented Feb 24, 2026

Replace PK/KEK/db enrollment artifacts with the yubi-uefi bundle from ghaf-infra-pki and record provenance and checksums.

This aligns installer enrollment material with the current infra PKI chain and updates docs to describe the new source.

Description of Changes

Type of Change

  • New Feature
  • Bug Fix
  • Improvement / Refactor

Related Issues / Tickets

Checklist

  • Clear summary in PR description
  • Detailed and meaningful commit message(s)
  • Commits are logically organized and squashed if appropriate
  • Contribution guidelines followed
  • Ghaf documentation updated with the commit - https://tiiuae.github.io/ghaf/
  • Author has run make-checks and it passes
  • All automatic GitHub Action checks pass - see actions
  • Author has added reviewers and removed PR draft status

Testing Instructions

Applicable Targets

  • Orin AGX aarch64
  • Orin NX aarch64
  • Lenovo X1 x86_64
  • Dell Latitude x86_64
  • System 76 x86_64

Installation Method

  • Requires full re-installation
  • Can be updated with nixos-rebuild ... switch
  • Other:

Test Steps To Verify:

  1. ...

@vadika vadika added the Needs Testing CI Team to pre-verify label Feb 24, 2026
@vadika
secureboot: rotate bundled enrollment keys from ghaf-infra-pki
825e8da 
Replace PK/KEK/db enrollment artifacts with the yubi-uefi bundle from ghaf-infra-pki and record provenance and checksums.

This aligns installer enrollment material with the current infra PKI chain and updates docs to describe the new source.

Signed-off-by: vadik likholetov <vadikas@gmail.com>
@vadika vadika force-pushed the feature/rotate-secureboot-keys branch from 305ac7d to 825e8da Compare February 24, 2026 10:09
@milva-unikie
Copy link
Copy Markdown

milva-unikie commented Feb 24, 2026

Tested with uefisigned Darter Pro installer and uefisigned Lenovo X1 installer

  • Installation works with ghaf-installer -s
  • After installation laptops boot with Secure Boot enabled

@milva-unikie milva-unikie added Tested on Lenovo X1 Carbon This PR has been tested on Lenovo X1 Carbon Tested on System76 and removed Needs Testing CI Team to pre-verify labels Feb 24, 2026
@brianmcgillion brianmcgillion merged commit 3e027be into tiiuae:main Feb 26, 2026
32 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brianmcgillion brianmcgillion brianmcgillion approved these changes

@vunnyso vunnyso vunnyso approved these changes

Assignees

No one assigned

Labels

Tested on Lenovo X1 Carbon This PR has been tested on Lenovo X1 Carbon Tested on System76

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@vadika @milva-unikie @brianmcgillion @vunnyso