Mich hat etwas wuschig gemacht, dass das Zertifikat für Secure Boot in meinem PC am 24. Juni 2026 abläuft. Der shimx64.efi ist mit genau diesem Zertifikat unterzeichnet.

Das ist aber kein Problem, weil Secure Boot weiter ein efi-file bootet, welches innerhalb der Zeit unterzeichnet war, zu der das Zertifikat noch gültig war. So lange also niemand das shimx64.efi aktualisieren will, braucht es auch auch noch kein neues Zertifikat von Microslop im uefi.

#secureboot #expire #cert

The things you didn't even know you had to worry about. Watched an #ExplainingComputers video last night on "Secure Boot Certificate Expiry (Windows & Linux)". As best as I can tell, I should be okay since I don't have it active:

bok@sqr128zena:~$
sudo mokutil --sb-state
[sudo] password for bok:
SecureBoot disabled
Platform is in Setup Mode

I hope so, since the update command fails:

bok@sqr128zena:~$ sudo fwupdmgr update
WARNING: UEFI capsule updates not available […]
Devices with no available firmware updates:
• SPCC M.2 SSD
• UEFI dbx

I'll see what happens in forty days:

Microsoft Corporation Third Party Marketplace Root
 Validity
  Not Before: Jun 27 21:22:45 2011 GMT
  Not After : Jun 27 21:32:45 2026 GMT

If my March 2015 NUC5i5RYK dies, I'll take it as a sign to upgrade. #Linux #SecureBoot

Has anyone succeed to boot a Debian system on an UEFI+Secure boot host with an ISCSI network drive via iPXE?

Having iPXE working with secureboot is okay, they have a signed shim.

Using `sanboot` directive gives me grub, as expected and start the Kernel.
But then the Linux Kernel detects a Secureboot violation and halt the booting process & the machine.

#iPXE #SANBOOT #SecureBoot #Debian

Mood : https://www.youtube.com/shorts/o56qL2t4swA

Doing network booting (#DHCP, #TFTP, #iPXE, #UEFI, #SecureBoot)
I haven't reached the “Oh, that's why” so far. But very annoyed

https://ipxe.org/secboot
“The Secure Boot shim (e.g. ipxe-shim.efi or snponly-shim.efi) will automatically load the iPXE binary with the corresponding name (e.g. ipxe.efi or snponly.efi).”
Definitely not what's happening…
So It kept loading the wrong iPXE firmware (not the snmponly) and I kept wondering why my keyboard wasn't working :<

Microsoft Patches 138 Vulnerabilities, Including Critical DNS and Netlogon Flaws

Microsoft just patched a critical DNS flaw that could let hackers execute code on your network, along with 137 other vulnerabilities - so make sure to update ASAP! The update also includes a mandatory rollout of updated Secure Boot certificates to keep your system secure.

https://osintsights.com/microsoft-patches-138-vulnerabilities-including-critical-dns-and-netlogon-flaws?utm_source=mastodon&utm_medium=social

#WindowsDns #Cve202641096 #SecureBoot #Microsoft #PatchTuesday

Now it is a great time to ensure you've updated your #UEFI #Windows #SecureBoot Certificate Authority to 2023 versions. The old keys from 2011 are set to expire in June 2026.

Quoting microsoft:

"Devices that haven’t received the newer 2023 certificates will continue to start and operate normally, and standard Windows updates will continue to install. However, these devices will no longer be able to receive new security protections for the early boot process, including updates to Windows Boot Manager, Secure Boot databases, revocation lists, or mitigations for newly discovered boot level vulnerabilities.

Over time, this limits the device’s protection against emerging threats and may affect scenarios that rely on Secure Boot trust, such as BitLocker hardening or third-party bootloaders. Most Windows devices will receive the updated certificates automatically, and many OEMs provide firmware updates when needed. Keeping your device current with these updates helps ensures it can continue receiving the full set of security protections that Secure Boot is designed to provide."

https://support.microsoft.com/en-gb/topic/windows-secure-boot-certificate-expiration-and-ca-updates-7ff40d33-95dc-4c3c-8725-a9b95457578e

Part 2 of my graceful reboot series - a real-world use case: pushing Microsoft's 2026 Secure Boot certificate update via Intune Remediations, with a user-friendly reboot built in.

http://dlvr.it/TSWSCn

#Intune #SecureBoot #PowerShell