Secure Boot and Microsoft CA Rollover – a heads-up for distributions
19 hours ago
- #UEFI
- #Secure Boot
- #Microsoft CA
- Microsoft's Secure Boot root certificates are expiring soon, causing potential boot issues for Linux distributions using Secure Boot.
- New Microsoft CAs have been released, and newer machines may only trust these, breaking boot for older signed shims.
- Distributions need to get new shims signed with the new CA, and dual-signed shims can support both old and new systems.
- Microsoft will sign with the old CA until it expires, but urgency is needed due to the short timeline.
- Users should update their systems and firmware to avoid disruptions during the certificate transition.