130

Linux users who have Secure Boot enabled on their systems knowingly or unknowingly rely on a key from Microsoft that is set to expire in September. After that point, Microsoft will no longer use that key to sign the shim first-stage UEFI bootloader that is used by Linux distributions to boot the kernel with Secure Boot. But the replacement key, which has been available since 2023, may not be installed on many systems; worse yet, it may require the hardware vendor to issue an update for the system firmware, which may or may not happen. It seems that the vast majority of systems will not be lost in the shuffle, but it may require extra work from distributors and users.

top 50 comments
sorted by: hot top controversial new old
[-] Decker108@lemmy.ml 3 points 1 day ago

Funny how Microsoft does this just before the October EOL deadline for Windows 10, when a whole bunch of hardware is being forcibly obsoleted...

[-] xia@lemmy.sdf.org 17 points 2 days ago

So... microsoft has positioned itself between common users and Linux... and as an authority of sorts.

[-] umbrella@lemmy.ml 12 points 2 days ago

if only people had predicted this way back when it came out

[-] HaraldvonBlauzahn@feddit.org 8 points 2 days ago

There is even a whole section in Wikipedia on issues and criticism with secure boot:

https://en.m.wikipedia.org/wiki/UEFI#Secure_Boot_criticism

Some people argue that one can work around such locking down of PC hardware. Do this or that to avoid issues with substantial tinkering.

But that is not a bug but a feature. Sure, as a technical Linux user you can work around some nastiness. Like working around privacy invasion on Facebook or Linkedin by "adjusting" settings, or "adjust" settings in Wimdows to make it more private and so on. The thing is: working against the platform becomes quickly a losing game, because you don't control the platform - Microsoft does. And it does not help you if you manage to re-gain control of your device after some hours of tinkering if 99.9% of people around you don't have the knowledge and time and store your data, photos, Emails on OneDrive and so on. Freedom is very much a collective thing and software freedom is no exception.

And this does not mean that the thinkering and hacking is in vain - but it is not enough. We need the practical right to control our devices.

[-] umbrella@lemmy.ml 1 points 2 days ago
[-] deadcatbounce@reddthat.com 24 points 3 days ago

Being beholden to Microsoft doesn't sound like something anyone needs.

Until that ends I'm doing best to avoid secure boot. I don't want to.

[-] data1701d@startrek.website 16 points 3 days ago

You can self-sign and self-enroll secure boot keys. Can’t say it’s an easy process, though - I had a lot of misery with it on my Surface Go 1st Gen. Might be better on my Thinkpad.

[-] umbrella@lemmy.ml 3 points 2 days ago

thus turning computers into phones, where you have to do a complicated unlocking/rekeying process to install your own OS.

[-] HaraldvonBlauzahn@feddit.org 0 points 2 days ago* (last edited 2 days ago)
[-] Max_P@lemmy.max-p.me 5 points 2 days ago

That's bullshit. ARM is an architecture and by itself does not specify secure boot any more than x86 does. Raspberry Pis don't have secure boot. You can unlock the bootloader on a Pixel, install GrapheneOS, and relock the bootloader just fine. Several other manufacturers allow bootloader unlocks no problem. The main reason you can't on some popular phones is US carriers, even international Samsungs you can unlock the bootloader and flash whatever you want on it.

I'm literally typing this comment on a phone running a custom OS (LineageOS on a OnePlus 8T). I'm literally 2 versions of Android ahead of the latest supported version. I also have a Galaxy S7 running Android 15, a phone that officially tops out at Android 8 and launched with Android 6. Both you literally just toggle the bootloader unlock option in the settings, no hacks no craziness, it's literally a feature.

At this point you're just straight up making shit up.

[-] HaraldvonBlauzahn@feddit.org 1 points 2 days ago* (last edited 2 days ago)

That's bullshit. ARM is an architecture and by itself does not specify secure boot any more than x86 does. Raspberry Pis don't have secure boot.

I mean Windows PCs with ARM CPUs which have Secure Boot, not Android smart phones or embedded devices.

[-] Max_P@lemmy.max-p.me 3 points 2 days ago

Nope. Even Qualcomm themselves provide what's needed to run Linux on the Windows for ARM PCs.

The only one I can't find for sure is whether there's any lockdown on the firmware for the Microsoft Surface and Copilot+ laptops, but I'm also not finding any sources pointing that it would be. But at this point you're buying Microsoft hardware, what do you expect.

[-] deadcatbounce@reddthat.com 1 points 2 days ago* (last edited 2 days ago)

I thought it was a Microsoft centric thing in that the certificate authority was either Microsoft or signed by Microsoft?

Maybe I need to read about it more? Can you direct me to the general area?

[-] WhyJiffie@sh.itjust.works 9 points 2 days ago

Microsoft's keys are pre-installed to all motherboards, so boot binaries signed by Microsoft are trusted by default. afaik Microsoft keys often can't be removed, but not because it's not possible, but because it can brick devices. you can create your own MOK or Machine Owner Keys and set up your linux system to sign your bootloader and kernel with it, but that is in addition to Microsoft keys.

https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot

[-] deadcatbounce@reddthat.com 1 points 2 days ago* (last edited 2 days ago)

Thank-you. Recently rebuilt my Arch Rescue build and saw that section in doing the UKI dance.

I don't mind the Microsoft keys being there at all. I just don't think tying myself to them is particularly clever.

From your final part. I think I need to go back and reread it. Thank-you again.

[-] HaraldvonBlauzahn@feddit.org 3 points 2 days ago* (last edited 2 days ago)
[-] deadcatbounce@reddthat.com 2 points 2 days ago

Oh. Thank-you. I'll read through.

[-] Max_P@lemmy.max-p.me 21 points 3 days ago

As commenters on the LWN thread said, I doubt that many firmwares even bother to check anyway. My motherboard happens to have had a bug where you can corrupt the RTC and end up in 2031 if you overclock it wrong. I didn't use secure boot then though so I don't know if it would have still booted Windows. But I imagine it would.

That said, I've always just enrolled my own keys. I know some other distros that make you enroll their keys as well like Bazzite. At least that way you don't depend on Microsoft's keys and shim or anything, clean proper secure boot straight into UKI.

[-] HaraldvonBlauzahn@feddit.org 1 points 2 days ago

That said, I've always just enrolled my own keys.

That is far more complex than a firmware update and also depends on a correct implementation of the spec in the BIOS - which, given the experiences with ACPI for Linux, is not at all something one can rely on.

[-] Max_P@lemmy.max-p.me 1 points 2 days ago

It has nothing to do with ACPI whatsoever. And firmwares this broken are the exception not the rule.

[-] HaraldvonBlauzahn@feddit.org 2 points 2 days ago* (last edited 2 days ago)

ACPI, especislly as it was at the beginning, is a good example that formally having a spec does not guarantee interoperability: You might get running Linux on some Laptop, but this does not guarantee that essential things like power management work.

[-] HaraldvonBlauzahn@feddit.org 4 points 3 days ago* (last edited 3 days ago)

As commenters on the LWN thread said, I doubt that many firmwares even bother to check anyway. My motherboard happens to have had a bug where you can corrupt the RTC and end up in 2031 if you overclock it wrong.

Seems it compares the expiration date of the UEFI key with the signature date of the bootloader / OS keys. (See the comments on the LWN article, some are far more knowledgeable than I am.) So, no, it does not require a working on-board clock to lock you out if you are not extremely careful and fully understand each part.

load more comments (12 replies)
[-] eugenia@lemmy.ml 7 points 3 days ago

I think this already bites people, it has started, it's not in September but now?: https://x.com/rogerioperdiz/status/1946873449537798582

[-] Tenderizer78@lemmy.ml 12 points 3 days ago* (last edited 3 days ago)

I just tried to distro-hop and found my BIOS had been locked with a password. Assuming I didn't set a password that I subsequently forgot (and that isn't one of the many I have memorized), I figured this might have something to do with the age of the laptop (I have a HP 4540s). If certificate expiration is already affecting people then this might be it.

EDIT: I just forgot I set a password, and it took me 2 days to realize that I was stupid enough to have set the password that I used for everything when I was 12 years old.

[-] drspod@lemmy.ml 3 points 3 days ago

How did you bypass the password?

[-] SteveTech@programming.dev 4 points 2 days ago

Not OP, but BIOSes often give you a specific error code after a few wrong password attempts. You can put the code in here to recover the password: https://bios-pw.org/

[-] Tenderizer78@lemmy.ml 2 points 3 days ago

I didn't. And apparently you can't without trying to short-circuit the motherboard. I just assumed, and assumed wrong.

[-] HaraldvonBlauzahn@feddit.org 9 points 3 days ago* (last edited 3 days ago)

The details are complex; it has humorously been called "security by security".

Hobby Linux users could, as far as I understand , simply disable UEFI secure boot (after weigthing carefully what secure boot provides to them, and what it does not provide). Otherwise, they'll need a firmware upgrade before any upgrade to a new OS / bootloader chain.

Small companies which use old laptops with Windows might be bitten hard by this because they can become locked out of their hardware with no way to update it, or even make a backup!

[-] HaraldvonBlauzahn@feddit.org 7 points 3 days ago* (last edited 3 days ago)

And by the way, Intel motherboards which are running your Linux system may contain a copy of Minix - yes, the Minix from the historic Tanenbaum vs. Torvalds debate - which runs below the OS in the system management mode engine and is controlled by the vendor, which can e.g. update firmware via the network. SMM is normally not visible by the user but it can cause problems e.g. for real-time applications because it has higher privileges than the kernel and can interrupt all of the kernel at any time.

[-] Technus@lemmy.zip 5 points 3 days ago

For a home desktop that's never left unattended with anyone untrustworthy, I don't see that Secure Boot is worth the effort in setting up.

Given that you have to re-sign the boot image every time you upgrade, any malware already running with root privileges on the machine could easily slip itself into the new signed image.

The best security is not running untrusted software to begin with.

[-] SheeEttin@lemmy.zip 6 points 3 days ago

If secure boot is off, and you run malware on your pc, it can change the boot process to escalate privileges.

This probably requires root or admin in the first place, but if they can install a malware loader, they can establish persistence so that even if you remove the os-level components, they'll be reinstalled on reboot.

[-] HaraldvonBlauzahn@feddit.org 1 points 2 days ago* (last edited 2 days ago)

If secure boot is off, and you run malware on your pc, it can change the boot process to escalate privileges.

This is technically correct, but on a desktop system, malware executing in user space is normally already game over. It can exfiltrate and send your passwords or ssh private keys, change browser certificates or browser software, add user systemd sessions or crontab entries and can generally e.g. do everything a banking trojan would like to do.

[-] Technus@lemmy.zip 1 points 2 days ago

Yeah, but the malware can just wait for a system upgrade where you sign a new boot image and slip itself in then.

It works for Windows because theoretically only Microsoft would have the signing key and it's not just sitting on disk somewhere. But then you're just trusting Microsoft, and also subject to vendor lock-in.

load more comments (8 replies)
load more comments
view more: next ›
this post was submitted on 20 Jul 2025
130 points (99.2% liked)

Linux

56593 readers
361 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 6 years ago
MODERATORS