- A signing key that many Linux distributions use to support Secure Boot is about to expire
- Sytems that fail to recognize the new key might fail to boot Linux securely
- Users might need to disable Secure Boot to install or run Linux
A signing key used to support Secure Boot on many Linux distros is about to expire, which could open up devices to all sorts of cybersecurity risks.
Secure Boot is a security feature built into modern computers. It is part of the Unified Extensible Firmware Interface (UEFI), which makes sure that only trusted software can run when the system starts up. This helps block malware such as bootkits, and it relies on digital signatures and keys stored in the computer’s firmware.
In short – UEFI boots up, checks the right software is in place, and hands things over to the operating system.
Locking the database down
Now, Microsoft has a signing key that many Linux distributions use to support Secure Boot, and that key is set to expire on September 11, 2025.
A replacement key has existed since 2023, but apparently – many systems don’t support it yet, and for those that don’t recognize the new key, it could mean Linux will not boot securely.
Fixing this problem requires firmware updates from original equipment manufacturers (OEM) but there is a risk that not all OEMs will issue updates – especially those for older, or less popular devices.
There is also a tool called “shim”, which some Linux distros use to work with Microsoft’s Secure Boot infrastructure. It is signed with Microsoft’s (soon-to-expire) key, and if it doesn’t get replaced on time, Secure Boot may break those distros entirely.
As a result, some users might need to disable Secure Boot to install or run Linux, while others may need to manually update firmware, or generate their own keys (which is rather complex and could be risky for those without extensive technical knowledge).
All of this could push people to either stick with Windows, or avoid Secure Boot entirely, which opens up an entirely new can of worms.
Via Tom’s Hardware
