130

Linux and Secure Boot certificate expiration (lwn.net)

submitted 3 days ago by HaraldvonBlauzahn@feddit.org to c/linux@lemmy.ml

53 comments fedilink hide all child comments

Linux users who have Secure Boot enabled on their systems knowingly or unknowingly rely on a key from Microsoft that is set to expire in September. After that point, Microsoft will no longer use that key to sign the shim first-stage UEFI bootloader that is used by Linux distributions to boot the kernel with Secure Boot. But the replacement key, which has been available since 2023, may not be installed on many systems; worse yet, it may require the hardware vendor to issue an update for the system firmware, which may or may not happen. It seems that the vast majority of systems will not be lost in the shuffle, but it may require extra work from distributors and users.

you are viewing a single comment's thread
view the rest of the comments

[-] deadcatbounce@reddthat.com 24 points 3 days ago

Being beholden to Microsoft doesn't sound like something anyone needs.

Until that ends I'm doing best to avoid secure boot. I don't want to.

[-] data1701d@startrek.website 16 points 3 days ago

You can self-sign and self-enroll secure boot keys. Can’t say it’s an easy process, though - I had a lot of misery with it on my Surface Go 1st Gen. Might be better on my Thinkpad.

[-] umbrella@lemmy.ml 3 points 3 days ago

thus turning computers into phones, where you have to do a complicated unlocking/rekeying process to install your own OS.

[-] HaraldvonBlauzahn@feddit.org 0 points 2 days ago* (last edited 2 days ago)

On ARM, you even can't disable Secure Boot - it is mandatory for ARM Windows PCs.

[-] Max_P@lemmy.max-p.me 5 points 2 days ago

That's bullshit. ARM is an architecture and by itself does not specify secure boot any more than x86 does. Raspberry Pis don't have secure boot. You can unlock the bootloader on a Pixel, install GrapheneOS, and relock the bootloader just fine. Several other manufacturers allow bootloader unlocks no problem. The main reason you can't on some popular phones is US carriers, even international Samsungs you can unlock the bootloader and flash whatever you want on it.

I'm literally typing this comment on a phone running a custom OS (LineageOS on a OnePlus 8T). I'm literally 2 versions of Android ahead of the latest supported version. I also have a Galaxy S7 running Android 15, a phone that officially tops out at Android 8 and launched with Android 6. Both you literally just toggle the bootloader unlock option in the settings, no hacks no craziness, it's literally a feature.

At this point you're just straight up making shit up.

[-] HaraldvonBlauzahn@feddit.org 1 points 2 days ago* (last edited 2 days ago)

That's bullshit. ARM is an architecture and by itself does not specify secure boot any more than x86 does. Raspberry Pis don't have secure boot.

I mean Windows PCs with ARM CPUs which have Secure Boot, not Android smart phones or embedded devices.

[-] Max_P@lemmy.max-p.me 3 points 2 days ago

Nope. Even Qualcomm themselves provide what's needed to run Linux on the Windows for ARM PCs.

The only one I can't find for sure is whether there's any lockdown on the firmware for the Microsoft Surface and Copilot+ laptops, but I'm also not finding any sources pointing that it would be. But at this point you're buying Microsoft hardware, what do you expect.

[-] deadcatbounce@reddthat.com 1 points 3 days ago* (last edited 3 days ago)

I thought it was a Microsoft centric thing in that the certificate authority was either Microsoft or signed by Microsoft?

Maybe I need to read about it more? Can you direct me to the general area?

[-] WhyJiffie@sh.itjust.works 9 points 3 days ago

Microsoft's keys are pre-installed to all motherboards, so boot binaries signed by Microsoft are trusted by default. afaik Microsoft keys often can't be removed, but not because it's not possible, but because it can brick devices. you can create your own MOK or Machine Owner Keys and set up your linux system to sign your bootloader and kernel with it, but that is in addition to Microsoft keys.

https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot

[-] deadcatbounce@reddthat.com 1 points 3 days ago* (last edited 3 days ago)

Thank-you. Recently rebuilt my Arch Rescue build and saw that section in doing the UKI dance.

I don't mind the Microsoft keys being there at all. I just don't think tying myself to them is particularly clever.

From your final part. I think I need to go back and reread it. Thank-you again.

[-] HaraldvonBlauzahn@feddit.org 3 points 2 days ago* (last edited 2 days ago)

Here

https://en.m.wikipedia.org/wiki/UEFI#Secure_Boot_criticism

is a list of problems and criticism on Secure Boot.

[-] deadcatbounce@reddthat.com 2 points 2 days ago

Oh. Thank-you. I'll read through.

this post was submitted on 20 Jul 2025

130 points (99.2% liked)

Linux

56593 readers

402 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 6 years ago

MODERATORS

AgreeableLandscape@lemmy.ml

nooter692@lemmy.ml

MarcellusDrum@lemmy.ml

cypherpunks@lemmy.ml

cyclohexane@lemmy.ml

d3Xt3r@lemmy.nz