News Microsoft signing key required for Secure Boot UEFI bootloader expires in September, which could be problematic for Linux users

[Admin]

A new key was issued in 2023, but it might not be well-supported ahead of the original key's expiration.

Microsoft signing key required for Secure Boot UEFI bootloader expires in September, which could be problematic for Linux users : Read more

 

[usertests]

A trash system that was always intended to embrace, extend, and extinguish.

 

[DS426]

Microsoft's Secure Boot key expires on 9-11? I don't know if that's irony or not...

 

[ezst036]

What does one do to check if their UEFI/BIOS and their distro will be problematic in September?

 

[S58_is_the_goat]

Linux user: time to switch to windows I guess...

 

[bigdragon]

Where is this September expiration date coming from? The Microsoft UEFI CA 2011 certificate doesn't expire until June 2026.

This really should be an easy transition. All Microsoft needs to do is use their KEK to sign a command to update Secure Boot with the new 2023 DB certificate. Yes, their 2011 KEK will expire in 2026 too, but we won't have to worry about this again until 2037. A firmware update is not needed to install the 2023 DB certificate -- only the 2023 KEK certificate.

 

[VerboortTech]

And this is a problem? Just clear out the default Microsoft keys, stick the public key for your favorite Linux vendor on a USB thumb drive, and register that key. As a side effect, this will prevent you from "accidentally" booting Windows by mistake.

 

[hwertz]

Thank goodness I disabled secure boot.

 

[jackt]

when win10 ends ? maybe ms hopes to prevent the migration to Linux, with some confusion ? making it harder to install linux ? they will release a new key with a little delay ? lol they are pathetic 😆

 

[jackt]

What does one do to check if their UEFI/BIOS and their distro will be problematic in September?

disable secure boot in bios. but then u have to reinstall the bootloader ? idk

 

[hwertz]

when win10 ends ? maybe ms hopes to prevent the migration to Linux, with some confusion ? making it harder to install linux ? they will release a new key with a little delay ? lol they are pathetic 😆

To be honest that was my first thought too. I do think these signing keys were done up like 10 or 15 years ago though.

I will point out, the root certificate authorities for secure boot are Microsoft (for booting Windows again) and Microsoft again (a seperate root authority for signing 'other' things than Windows.) This isn't some industry spec, it's spec'ed by Microsoft and was implemented by vendors because they made it mandatory for 'designed for Windows 8' computers.

I'll note (besides the stated security reasons for Secure Boot), it was also originally a ploy by Microsoft to prevent installing other OSes on the PC you own. They originally did not have that second certificate authority, no plans to sign bootloaders etc. as they do now, and being able to go into setup and add keys was optional (and in reality the expectation was that systems would probably just 'neglect' to implement this). See the original Surface RT (from around 2012)... you could run Windows RT and only Windows RT on it because of SecureBoot being implemented to Microsoft's original specifications. Someone actually just sorted out a way to get a better OS on these within the last couple years -- the Nintendo Switch and the Surface both use Nvidia Tegra ARM CPUs and some Switch exploit turned out to work on the Surface.