Linux users may face yet another hurdle related to Secure Boot when the Microsoft-signed key used by many distributions to support the firmware-based security feature expires on September 11, leaving users at the mercy of distribution from OEMs, and systems possibly not receiving a necessary firmware update.
As LWN reported (paywall) that Microsoft will stop using the expiring key to sign the shim in September. “But the replacement key, which has been available since 2023, may not be installed on many systems; worse yet, it may require the hardware vendor to issue an update for the system firmware, which may or may not happen,” LWN said. “It seems that the vast majority of systems will not be lost in the shuffle, but it may require extra work from distributors and users.”
The report said manufacturers could add support for the new key in a full firmware update or by updating the KEK database. The former assumes that manufacturers would be interested in distributing a firmware update for a wide variety of products so a small percentage of their users could use Secure Boot with a non-Windows OS; the latter is an unproven mechanism that isn’t guaranteed to work on all devices. Both seem likely to leave at least some people to figure out a solution on their own.
Microsoft’s
Secure Boot UEFI bootloader signing key expires in September,posing problems for Linux usersSo my old Lenovo x220 that started as Windows and since then I wiped and installed pop os with full disk encryption is going to have a problem?
Secure boot will fail validation. You can still boot it anyway by disabling secure boot. You just lose a layer of security. You can manually sign boot files yourself and add the relevant certificate to the motherboard firmware database. Assuming it lets you.
I see, I’m just a novice at Linux and this seems complicated. Is there a good tutorial somewhere? Otherwise I might just disable secure boot
Sorry for delay.
Install
sbsigntoolCreate Certificate:
openssl x509 -outform der -in cacert.pem -out certificate.crtThe resulting
certificate.crtis what will be used to verify the signature of the EFI binary. You will import this into the motherboards firmware database.Sign EFI Binary:
sbsign --key cakey.pem --cert cacert.pem bootx64.efi --output BOOTX64.efiAfter you sign the boot file, reboot into the firmware and import the certificate. Reboot normally and secure boot should work without issue.
It would appear that major distros like RedHat/Fedora, Ubuntu, Debian, etc are not overly concerned at this point. I would suspect that if they truely feared this happening, they would be moving very quickly to create patches or work arounds for this problem.
If you start with a reasonably recent Windows machine, there’s a TPM with secure boot (and MS keys) enabled. If setting up dualboot Windows/Linux, you’re going through BIOS/UEFI, so expiring keys will affect you. Booting into Windows and doing an update should fix the problem.
If you disabled secureboot/FDE, then installed Linux and left it at that, you should be OK.
But under Linux, those who reenable fulldisk encryption or secure boot via the TPM may be impacted by this, and since they’ve removed Windows, they may be screwed: https://allthings.how/how-to-enable-tpm-encryption-and-secure-boot-on-ubuntu-24-04/
So why can’t Linux just do whatever the Windows update does?
The Windows update loads a chain of trust that tells the bootloader the device is OK and your version of Windows is real and your full-disk-encryption is fine. Linux folks don’t have (or need) all that. They can create their own chain of trust if they want, but they don’t have read/write access to the Microsoft one.
If they did, we would be reading a completely different article starting with why the world was on fire.
So my framework 16 that has never seen Windows running FedoraKDE with FDE (but not auto-unlock, typed pass every boot) enabled is going to explode?
Half kidding, but like, should I disable secure boot or something? Run fwupd?
If it’s never seen Windows you may be fine.
The problem is mostly for systems that dual-boot or had Windows at one point, but got Linux installed on top. A lot of people use old Lenovo, HP, or Dell computers and repurpose them for Linux. Those are the ones that may get bit.
Ordered it plain, added flavor myself (FedoraKDE, as I mentioned lol).
I do have a few spare old laptops with linux that used to be windows, but tbh the critical one is my main, the others don’t really need secure boot as long as they don’t get bricked.
I don’t understand, a. Why is Linux using Microsoft keys?, and b. Why isn’t this a problem for Windows too?
From https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/managing_monitoring_and_updating_the_kernel/signing-a-kernel-and-modules-for-secure-boot_managing-monitoring-and-updating-the-kernel: “In addition, the signed first-stage boot loader and the signed kernel include embedded Red Hat public keys. These signed executable binaries and embedded keys enable RHEL 8 to install, boot, and run with the Microsoft UEFI Secure Boot Certification Authority keys. These keys are provided by the UEFI firmware on systems that support UEFI Secure Boot.”
Basically the Microsoft keys are ones that the firmware vendor (motherboard or chip manufacturer) recognizes as secure by default (via CA validation). You can override them. It’s not a Linux issue but a hardware-vendor-defaulting-to-Microsoft issue.
If security is the actual I’d even argue you SHOULD over ride them. It’s like the default password on your home router
You’re not wrong, but unfortunately it’s not simple and can brick your motherboard if you make a mistake. I wouldn’t expect the average Linux user to do it these days. It can also depend on the hardware. If they don’t expose any ability to change the keys you’re stuck.
Microsoft has spent the time and money to get their key added to the silicone of the BIOS chips on PC hardware. Everyone else needs to get their key signed by Microsoft, including Red Hat and Canonical.
=/= ≠ ≠/!=/<>/~=
My preferred is ><
I was always partial to !=, to me it says WOOAH PARDNER, LOOK OUT, not equal
I reckon it ain’t. 🤠
Mhmm spittoon noises
What about silly cone?
BIOS has tiddy implants?
AFAIK it’s not necessarily about Linux using Microsoft keys, it’s more about Microsoft shoe-horning their bullshit into everything they possibly can, including at the hardware/firmware level.
I’ve learned several new commands from this thread and am grateful to all of you who’ve taught me them.
