News Microsoft signing key required for Secure Boot UEFI bootloader expires in September, which could be problematic for Linux users

[jono909]

A new key was issued in 2023, but it might not be well-supported ahead of the original key's expiration.

Microsoft signing key required for Secure Boot UEFI bootloader expires in September, which could be problematic for Linux users : Read more

Reminds me of the time that Linus Torvalds stuck his middle finger up.

 

[festeve]

I'm pretty skeptical of this article's claim that you need a firmware update (UEFI/BIOS update) to address this. You should be able to just enroll the new certs/keys yourself through the UEFI interface. You could, presumably, instead create a (temporary) Windows install and run the steps here: https://techcommunity.microsoft.com...g/updating-microsoft-secure-boot-keys/4055324

I admit I have not tried this myself, but I did do something similar back when I ran a more esoteric version of Linux. It didn't work out of the box with secure boot (the way Ubuntu, etc., do), but all I had to do is enroll the bootloader via the UEFI and I was good to go.

Edit: Ended up enrolling the new MS 2023 KEK just to try it out. Was pretty quick and easy; admittedly I don't really know how to test it, but it seemed to have work just fine. Used the cert listed in section 1.5 here https://learn.microsoft.com/en-us/w...ation-and-management-guidance?view=windows-11

The issue is not with loading drivers but the hardware itself. So yes a firmware update is needed regardless of which OS you are running.
If your manufacturer has not got an update method you have the same issue.

 

[drajitsh]

And this is a problem? Just clear out the default Microsoft keys, stick the public key for your favorite Linux vendor on a USB thumb drive, and register that key. As a side effect, this will prevent you from "accidentally" booting Windows by mistake.

please tell me stepwise how that can be done.

 

[wyattb]

please tell me stepwise how that can be done.

Me too. Thanks!