Linux and Secure Boot certificate expiration
14 days ago
- #Linux
- #Secure Boot
- #UEFI
- Linux users relying on Microsoft's Secure Boot key face expiration issues in September, requiring updates or firmware changes.
- The replacement key, available since 2023, may not be installed on many systems, potentially requiring vendor updates.
- Fedora developer Mateus Rodrigues Costa highlighted the issue, noting warnings in Windows 11 updates about Secure Boot certificate expirations starting in 2026.
- Secure Boot requires the first-stage bootloader to be signed with a non-expired key in the firmware database, complicating new Linux installations post-expiration.
- LVFS and fwupd tools are crucial for updating firmware keys, but older systems may face challenges due to lack of vendor updates or firmware space issues.
- Disabling Secure Boot might be the only option for systems without updates, complicating Secure Boot installations.
- Potential issues include firmware not enforcing expiration dates, vendor mistakes in updates, and the uncharted process of updating KEK and platform keys.
- Linux distributions and users may need to navigate a bumpy transition, with some systems possibly continuing to work with old keys despite expiration.