Upcoming updates to the Microsoft certificate revocation list in UEFI firmwares will require IGEL devices to run IGEL OS 11.10.410 or IGEL OS 12.7.0 (or newer).
If a device’s UEFI firmware is updated prior to upgrade, it could prevent the device from starting. This change also impacts IGEL UD Pocket devices.
Details
The Secure Boot security feature in Unified Extensible Firmware Interface (UEFI) based firmware helps ensure that only trusted software runs during a device's boot (start) sequence. It works by verifying the digital signature of pre-boot software against a set of trusted digital certificates stored in the device's firmware.
To maintain a trusted list of certificates, updated certificate revocation lists (CRLs) are periodically released to invalidate older certificate authorities and prevent their continued use. These CRLs are added to the UEFI firmware by manufacturers and distributed as firmware updates.
If an OS version is signed by a certificate that has been revoked, the Secure Boot feature will prevent the device starting in case the OS has been compromised. Older versions of IGEL OS may have been signed by a certificate that Microsoft is planning to revoke so that it may be replaced by a new version.
The new CRL will be released on 14 October by Microsoft but the date of new firmware releases from hardware vendors is currently unknown.
What To Do
To avoid any impact, customers should plan to upgrade to at least one of the following versions of IGEL OS before performing any UEFI updates:
- IGEL OS 11 – v11.10.410
- IGEL OS 12 – v12.7.0
Helient recommends that customers take the opportunity to upgrade to the newest release so that they can receive the latest security updates. At the time of writing, these are:
- IGEL OS 11.10.410
- IGEL OS 12.7.2 PR1
As with any updates, customers are encouraged to thoroughly read the release notes of both the OS and any firmware updates to ensure compatibility is maintained prior to performing any upgrades. Additionally, any updates should first be performed in a test environment.
Next Steps
Customers are encouraged to perform the required updates as soon as possible.
Please reach out if you would like Helient Technologies’ highly experienced engineers to assist with the planning or deployment of these updates.
1 minute read
