Linux

8763 readers

500 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago

MODERATORS

Ategon@programming.dev

anzo@programming.dev

dwraf_of_ignorance@programming.dev

274

Microsoft's Secure Boot UEFI bootloader signing key expires in September, posing problems for Linux users (www.tomshardware.com)

submitted 1 week ago by throws_lemy@lemmy.nz to c/linux@programming.dev

25 comments fedilink hide all child comments

Linux users may face yet another hurdle related to Secure Boot when the Microsoft-signed key used by many distributions to support the firmware-based security feature expires on September 11, leaving users at the mercy of distribution from OEMs, and systems possibly not receiving a necessary firmware update.

As LWN reported (paywall) that Microsoft will stop using the expiring key to sign the shim in September. "But the replacement key, which has been available since 2023, may not be installed on many systems; worse yet, it may require the hardware vendor to issue an update for the system firmware, which may or may not happen," LWN said. "It seems that the vast majority of systems will not be lost in the shuffle, but it may require extra work from distributors and users."

The report said manufacturers could add support for the new key in a full firmware update or by updating the KEK database. The former assumes that manufacturers would be interested in distributing a firmware update for a wide variety of products so a small percentage of their users could use Secure Boot with a non-Windows OS; the latter is an unproven mechanism that isn't guaranteed to work on all devices. Both seem likely to leave at least some people to figure out a solution on their own.

you are viewing a single comment's thread
view the rest of the comments

[–] fubarx@lemmy.world 64 points 1 week ago (10 children)

If you start with a reasonably recent Windows machine, there's a TPM with secure boot (and MS keys) enabled. If setting up dualboot Windows/Linux, you're going through BIOS/UEFI, so expiring keys will affect you. Booting into Windows and doing an update should fix the problem.

If you disabled secureboot/FDE, then installed Linux and left it at that, you should be OK.

But under Linux, those who reenable fulldisk encryption or secure boot via the TPM may be impacted by this, and since they've removed Windows, they may be screwed: https://allthings.how/how-to-enable-tpm-encryption-and-secure-boot-on-ubuntu-24-04/

[–] FizzyOrange@programming.dev 15 points 1 week ago (6 children)

So why can't Linux just do whatever the Windows update does?

[–] ben@feddit.dk 33 points 1 week ago (2 children)

Tools to do that exists. fwupd is a tool to update firmwares. I just tested it on a thinkpad and went from 351 keys to 518 secureboot keys.

GNOME Software also uses fwupd, that should take care of a good chunk of users.

[–] kadup@lemmy.world 16 points 1 week ago (1 children)

So this is an exaggerated non-issue that is phrased as if it was the end of Linux? Crazy, this never happened before! See you all next week when Linux is doomed again.

[–] groet@feddit.org 14 points 1 week ago (1 children)

Its an exaggerated ~~non-~~issue

Linux is not a uniform userbase. Many systems will be affected by this. Many users will be fine because they use a well used and maintained distro. Many servers and embedded systems will not be fine.

That raspi running your pihole that is never updated? Yeah that might just stop booting next time there is a poweroutage and you wouldn't know what's up.

[–] kadup@lemmy.world 16 points 1 week ago

What Raspberry Pi is booting with SecureBoot and default keys? Give me a break.

[–] progandy@feddit.org 3 points 1 week ago

There are still vendors that do not provide firmware with this tool or only for select devices.

load more comments (3 replies)

load more comments (6 replies)