290
Microsoft's Secure Boot UEFI bootloader signing key expires in September, posing problems for Linux users
(www.tomshardware.com)
this post was submitted on 22 Jul 2025
290 points (99.7% liked)
Linux
9177 readers
292 users here now
A community for everything relating to the GNU/Linux operating system (except the memes!)
Also, check out:
Original icon base courtesy of lewing@isc.tamu.edu and The GIMP
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I don't understand, a. Why is Linux using Microsoft keys?, and b. Why isn't this a problem for Windows too?
From https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/managing_monitoring_and_updating_the_kernel/signing-a-kernel-and-modules-for-secure-boot_managing-monitoring-and-updating-the-kernel: "In addition, the signed first-stage boot loader and the signed kernel include embedded Red Hat public keys. These signed executable binaries and embedded keys enable RHEL 8 to install, boot, and run with the Microsoft UEFI Secure Boot Certification Authority keys. These keys are provided by the UEFI firmware on systems that support UEFI Secure Boot."
Basically the Microsoft keys are ones that the firmware vendor (motherboard or chip manufacturer) recognizes as secure by default (via CA validation). You can override them. It's not a Linux issue but a hardware-vendor-defaulting-to-Microsoft issue.
Another way that secure boot is snake oil, useless, locked in bullshit.
This one wishes you a happy sweet roll!
🥳🎉🎂
Works fine for me and the billions of business using it 🤷♂️
Same thing for all the trusted certs at the os level.
it works, yeah, but it only does so because of microsoft, and they don't want to let anyone else in.
Wow, billions of business. 🙄
You're an idiot if you think you're privacy would be better off without trusted root certs and businesss taking liability around protecting them 🤷♂️
Wow, namecalling. How original. 🙄
You're an idiot for trusting anyone. Especially entities whose only purpose is to generate revenue and serve fascists.
It blows my mind how many folks on Lemmy have no clue how the Internet is run. Just wow 🤯
I know how it's run, and I know that it's shit. You mean just because something exists it's suddenly good and all? Are we not allowed to criticize and remove risks as much as possible?
What's your viable alternative? Everyone running their own CA and getting their own root certs trusted without centralization?
If security is the actual I'd even argue you SHOULD over ride them. It's like the default password on your home router
You're not wrong, but unfortunately it's not simple and can brick your motherboard if you make a mistake. I wouldn't expect the average Linux user to do it these days. It can also depend on the hardware. If they don't expose any ability to change the keys you're stuck.
Can confirm, RIP MB. The best solution would be only using a Laptop and Tails, and/or removing the actual flash chip of the MB.
Microsoft has spent the time and money to get their key added to the silicone of the BIOS chips on PC hardware. Everyone else needs to get their key signed by Microsoft, including Red Hat and Canonical.
BIOS has tiddy implants?
Made in silicone valley
I hear there's a bad dragon that lives there.
Silicone =/= silicon.
What about silly cone?
=/= ≠ ≠/!=/<>/~=
~= for "not equal" is an abomination. It should be the ASCII equivalent for ≈, "approximate to". Bash gets it right with =~ for pattern matching.
I agree that = for "not equal" is an abomination.
My preferred is ><
The cartman inequality
Starting to come around to this one
I was always partial to !=, to me it says WOOAH PARDNER, LOOK OUT, not equal
I reckon it ain't. 🤠
Mhmm spittoon noises
Every manufacturer includes the Microsoft secure boot key in their firmware. I'm not sure if any manufacturer includes a Linux-specific key. So Microsoft signed a bootloader with their key, enabling secure boot to work with Linux without having to load another key onto every device.
AFAIK it's not necessarily about Linux using Microsoft keys, it's more about Microsoft shoe-horning their bullshit into everything they possibly can, including at the hardware/firmware level.