this post was submitted on 22 Jul 2025
290 points (99.7% liked)

Linux

8812 readers
847 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago
MODERATORS
 

Linux users may face yet another hurdle related to Secure Boot when the Microsoft-signed key used by many distributions to support the firmware-based security feature expires on September 11, leaving users at the mercy of distribution from OEMs, and systems possibly not receiving a necessary firmware update.

As LWN reported (paywall) that Microsoft will stop using the expiring key to sign the shim in September. "But the replacement key, which has been available since 2023, may not be installed on many systems; worse yet, it may require the hardware vendor to issue an update for the system firmware, which may or may not happen," LWN said. "It seems that the vast majority of systems will not be lost in the shuffle, but it may require extra work from distributors and users."

The report said manufacturers could add support for the new key in a full firmware update or by updating the KEK database. The former assumes that manufacturers would be interested in distributing a firmware update for a wide variety of products so a small percentage of their users could use Secure Boot with a non-Windows OS; the latter is an unproven mechanism that isn't guaranteed to work on all devices. Both seem likely to leave at least some people to figure out a solution on their own.

you are viewing a single comment's thread
view the rest of the comments
[–] Goun@lemmy.ml 43 points 2 weeks ago (4 children)

I don't understand, a. Why is Linux using Microsoft keys?, and b. Why isn't this a problem for Windows too?

[–] naonintendois@programming.dev 75 points 2 weeks ago (2 children)

From https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/managing_monitoring_and_updating_the_kernel/signing-a-kernel-and-modules-for-secure-boot_managing-monitoring-and-updating-the-kernel: "In addition, the signed first-stage boot loader and the signed kernel include embedded Red Hat public keys. These signed executable binaries and embedded keys enable RHEL 8 to install, boot, and run with the Microsoft UEFI Secure Boot Certification Authority keys. These keys are provided by the UEFI firmware on systems that support UEFI Secure Boot."

Basically the Microsoft keys are ones that the firmware vendor (motherboard or chip manufacturer) recognizes as secure by default (via CA validation). You can override them. It's not a Linux issue but a hardware-vendor-defaulting-to-Microsoft issue.

[–] 30p87@feddit.org 55 points 2 weeks ago (3 children)

Another way that secure boot is snake oil, useless, locked in bullshit.

[–] Maiq@lemy.lol 18 points 2 weeks ago

This one wishes you a happy sweet roll!

[–] RedSnt@feddit.dk 6 points 2 weeks ago
[–] fruitycoder@sh.itjust.works 6 points 2 weeks ago (1 children)

If security is the actual I'd even argue you SHOULD over ride them. It's like the default password on your home router

[–] naonintendois@programming.dev 9 points 2 weeks ago (1 children)

You're not wrong, but unfortunately it's not simple and can brick your motherboard if you make a mistake. I wouldn't expect the average Linux user to do it these days. It can also depend on the hardware. If they don't expose any ability to change the keys you're stuck.

[–] 30p87@feddit.org 1 points 2 weeks ago

Can confirm, RIP MB. The best solution would be only using a Laptop and Tails, and/or removing the actual flash chip of the MB.

[–] demizerone@lemmy.world 40 points 2 weeks ago (2 children)

Microsoft has spent the time and money to get their key added to the silicone of the BIOS chips on PC hardware. Everyone else needs to get their key signed by Microsoft, including Red Hat and Canonical.

[–] SpaceNoodle@lemmy.world 19 points 2 weeks ago (1 children)
[–] elvith@feddit.org 11 points 2 weeks ago (1 children)
[–] princessnorah@lemmy.blahaj.zone 7 points 2 weeks ago

I hear there's a bad dragon that lives there.

[–] atomicbocks@sh.itjust.works 19 points 2 weeks ago (2 children)
[–] ExLisper@lemmy.curiana.net 7 points 2 weeks ago

What about silly cone?

[–] Whostosay@sh.itjust.works 6 points 2 weeks ago (2 children)
[–] sxan@midwest.social 5 points 2 weeks ago (1 children)

~= for "not equal" is an abomination. It should be the ASCII equivalent for ≈, "approximate to". Bash gets it right with =~ for pattern matching.

[–] FrederikNJS@lemmy.zip 3 points 2 weeks ago

I agree that = for "not equal" is an abomination.

[–] acockworkorange@mander.xyz 4 points 2 weeks ago (2 children)
[–] DarkDarkHouse@lemmy.sdf.org 8 points 2 weeks ago (1 children)
[–] Whostosay@sh.itjust.works 2 points 2 weeks ago

Starting to come around to this one

[–] Whostosay@sh.itjust.works 4 points 2 weeks ago (1 children)

I was always partial to !=, to me it says WOOAH PARDNER, LOOK OUT, not equal

[–] acockworkorange@mander.xyz 0 points 2 weeks ago (1 children)
[–] Whostosay@sh.itjust.works 2 points 2 weeks ago

Mhmm spittoon noises

[–] cadekat@pawb.social 18 points 2 weeks ago

Every manufacturer includes the Microsoft secure boot key in their firmware. I'm not sure if any manufacturer includes a Linux-specific key. So Microsoft signed a bootloader with their key, enabling secure boot to work with Linux without having to load another key onto every device.

[–] CrabAndBroom@lemmy.ml 10 points 2 weeks ago

AFAIK it's not necessarily about Linux using Microsoft keys, it's more about Microsoft shoe-horning their bullshit into everything they possibly can, including at the hardware/firmware level.