Linux and Secure Boot certificate expiration
10 months ago
- #Linux
- #Secure Boot
- #UEFI
- Microsoft's Secure Boot key, used by Linux distributions to sign the shim bootloader, is set to expire in September 2025.
- Many systems may not have the replacement key installed, requiring firmware updates from hardware vendors.
- The Linux Vendor Firmware Service (LVFS) and fwupd tool are being used to manage firmware updates, including the new Secure Boot keys.
- Older systems without firmware updates may require Secure Boot to be disabled for new installations.
- There are concerns about firmware implementations enforcing the certificate expiration date, with some systems possibly continuing to work post-expiration.
- The transition may be complicated for dual-boot systems with BitLocker encryption tied to Secure Boot measurements.
- The Linux community is preparing for potential issues, but the situation highlights challenges with vendor-controlled Secure Boot keys.