Mastodawn

Some Linux users might be interested, reading about this (Subscriber link, that bypasses the Paywall, since I find this information important to spread for awareness):

https://lwn.net/SubscriberLink/1029767/0a550f0972703141/

„Linux users who have Secure Boot enabled on their systems knowingly or unknowingly rely on a key from Microsoft that is set to expire in September. After that point, Microsoft will no longer use that key to sign the shim first-stage UEFI bootloader that is used by Linux distributions to boot the kernel with Secure Boot. But the replacement key, which has been available since 2023, may not be installed on many systems; worse yet, it may require the hardware vendor to issue an update for the system firmware, which may or may not happen.“

#linux #secureboot #microsoft #security #servicetweet

Linux and Secure Boot certificate expiration

Linux users who have Secure Boot enabled on their systems knowingly or unknowingly rely on a ke [...]

LWN.net

HowToPhil (Phillip R)Jul 20, 2025

@Larvitz And that's why "secure boot" is bullshit and has always been part of planned obsolescence

@howtophil @Larvitz you're supposed to install updates from time to time, you know?

HowToPhil (Phillip R)Jul 20, 2025

@[email protected] @Larvitz You're supposed to decide the software you run on your hardware and not beg a random corporation to allow you to run what you want, you know?

Mirror Jul 20, 2025

@howtophil @Larvitz then enroll your keys or disable it, lol.

HowToPhil (Phillip R)Jul 20, 2025

@[email protected] @Larvitz Secure boot is a scam and everyone should disable it

Mirror Jul 20, 2025

@howtophil @Larvitz
> I don't understand it and that's why you should kill it with fire
Ok.

HowToPhil (Phillip R)Jul 20, 2025

@[email protected] @Larvitz I do understand secure boot, and I KNOW it's about nothing more than corporate control of your hardware and forced obsolescence.

Mirror Jul 20, 2025

@howtophil @Larvitz you're obviously don't, silly conspirologist.

@howtophil @voice

1st: You can always disable secure-boot in UEFI.

2nd: You can enroll your own pubkey and sign your boot-loader/kernel yourself.
You can even remove the MS-Key from your UEFI and be entirely independent from any corporation.

3rd: The MS-CA is basically just convinience, so that you don't *need* to do bullet point No. 2 and there's a central party for signing for consumer hardware.

A secure boot process with a safe chain-of-trust is crucial, if you want secure computing.

And nodoby is forcing you to use it. It's optional. (I do use it. I use it with my own keys, together with full-disk-encryption as a safety measure. see https://burningboard.net/@Larvitz/114885834236734756)

Larvitz :fedora: :redhat: (@[email protected])

Attached: 1 image System Security (ThinkPad T14s Gen4 AMD Ryzen) - Untainted Kernel in Lockdown mode - Secure boot active with modern signature - All modern security features active - Full-Disk-Encryption with key on physical SmartCard from @[email protected]) (With modern UEFI CA, because of the upcoming key replacement: https://burningboard.net/@Larvitz/114884582215696742) #security #fwupd #thinkpad #linux #secureboot

Burningboard.net 🇩🇪 🇪🇺

FLOX Advocate Jul 20, 2025

@Larvitz @howtophil @Voice anyone have good guides for 1 and 2 ( disable UEFI and enrolling your own pubkey ) for those unfamiliar with the intricacies of the whole thing?

nepi Jul 20, 2025

@FLOX_advocate @Larvitz @howtophil @voice 1 will vary based on the laptop. In most UEFIs it’s where you configure boot devices.

For 2, Linux-surface has a decent overview, the tldr is they’re x509 certificates and you use “mokutil” github.com/linux-surface/linux-surface/wiki/Secure-Boot

Secure Boot

Linux Kernel for Surface Devices. Contribute to linux-surface/linux-surface development by creating an account on GitHub.

GitHub

Bel Polaris Jul 21, 2025

@Larvitz @howtophil @[email protected] @FLOX_advocate

The Arch Linux wiki has a pretty comprehensive article about UEFI and secure boot - including how to enroll your own keys and possible gotchas.

https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Implementing_Secure_Boot

Unified Extensible Firmware Interface/Secure Boot - ArchWiki

HowToPhil (Phillip R)Jul 20, 2025

@[email protected] Also, read the article.

Mirror Jul 20, 2025

@howtophil I read it even before this thread started.

HowToPhil (Phillip R)Jul 20, 2025

@[email protected] You clearly missed several key points, or you didn't understand it. You should re-read it.

Mirror Jul 20, 2025

@howtophil you should take your pills.

LisPi Jul 20, 2025

@voice @howtophil @Larvitz You're supposed to be using your own keys and not some corposcum's.

Except that a) some broken hardware doesn't allow this and b) tooling to do so is very unfriendly even when it's an option.

Mirror Jul 21, 2025

@lispi314 @Larvitz @howtophil and I actually do. My computers has no enrolled CA other than mine.

a) you should blame manufacturer. This is the same kind of issue as broken CPU support or broken ACPI.
b) sbctl is pretty convenient.

LisPi Jul 21, 2025

@voice @howtophil @Larvitz The first unfortunately does very little in part due to industry consolidation and in part due to not enough people caring.

It legitimately should be something consumer protection in various countries should be poking at, but they mostly don't.

sbctl isn't too bad for someone like me, but it's not exactly within reach of lowest-hanging fruit users.

A quick look at the project shows well-enough to use it manually, though I find myself uncertain how to tie it into dracut or mkinitramfs so one doesn't get stuck with an unbootable system after a kernel update.

Mirror Jul 21, 2025

@lispi314 @Larvitz @howtophil if you choose to install an OS by yourself then it's your responsibility to secure it with SB or any other technology available. I don't know any vendor who actively prohibits it. More over, ability to enroll custom certificates is mandatory requirement by Microsoft.

Mirror Jul 21, 2025

@lispi314 @Larvitz @howtophil
> A quick look at the project shows well-enough to use it manually, though I find myself uncertain how to tie it into dracut or mkinitramfs so one doesn't get stuck with an unbootable system after a kernel update.
On Arch it uses hooks to run every time related boot files are updated.

@voice @Larvitz @howtophil except if you use anything other than Windows, firmware updates have a tendency to just break a bunch of shit, especially if you’re in a situation like me and had to enable debug settings and change options I’m not supposed to even see just to get my laptop working properly with Linux

like, trust me, I actually avoid installing any UEFI updates for no reason other than “everything UEFI on this laptop is built on a house of cards that an UEFI update is likely to wreck”

@voice @Larvitz @howtophil oh, also, UEFI updates are not issued indefinitely

I have a couple old laptops that are still perfectly usable with Linux today, but their OEMs stopped providing firmware updates years ago, more than a decade ago for one laptop

LisPi Jul 20, 2025

@voice @howtophil @Reiddragon @Larvitz This is part of what should lead to Free/Libre firmware and public publication of hardware documentation on abandonment by upstream.

It is inexcusable for something to become e-waste simply because some corporation has decided it doesn't feel like maintaining support anymore.

@lispi314 @Larvitz @howtophil @voice something something it’s Stop Killing Games but about hardware because surprise, this shit happens everywhere in tech!

(also shameless self promotion as I wrote about it like 2 weeks ago https://reiddragon.neocities.org/blog/articles/stop-killing-games-and-why-its-not-enough/ )

Stop Killing Games, and why it's not enough | Reiddragon's Nerd Cave

LisPi Jul 20, 2025

@Reiddragon @voice @howtophil @Larvitz Killing games at least /usually/ didn't count as an ecological disaster.

Of course now with always-online consoles? Yeah, it just might qualify too.

@lispi314 @Larvitz @howtophil @voice tbh the core of the issue is the same, whether we’re talking about always-online games, smart home shit that depends on the OEM’s servers for most of its functionality (like a lot of smart cameras), or regular phones and computers becoming ewaste when official support is officially cut or when support just slowly fades away and the hardware is left to bitrot as nothing runs on it anymore after years of neglect from the OEM

"Wish the sun to stand still.." 🌞Jul 21, 2025

@Reiddragon "if you use anything other than Windows, firmware updates have a tendency to just break a bunch of shit"

A lot of Linux drivers are from reverse-engineering guesswork, and most Linux users don't care. There is exactly one distro that has anywhere near a respectable HCL, and I've waited decades for that situation to improve.

@tasket “sure this is bad, but did you know this other thing is also bad?”

doesn’t matter, this is completely irrelevant to my point

reverse engineered drivers ain’t perfect, but once they’re somewhat working you can expect them to just get better on a given piece of hardware. When the UEFI is actively hostile to anything other than Windows, an update can easily break functionality, especially if you had to delve into some hidden settings like you have to to get sleep working on a lot of newer laptops (Lenovo doesn’t show the setting to switch to proper sleep instead of the “modern standby” bs, you have to enable debug mode which exposes a bunch of poorly documented (bootleg famiclone manual English) settings that are almost guaranteed to NOT stay unchanged on UEFI updates, and are actually quite likely to be removed on an update)

Mirror Jul 21, 2025

@Reiddragon @Larvitz @howtophil afaik certificates and revocation lists are separate from the firmware updates, but not really sure because using SB with microsoft third party ca is pointless anyway.

This is sad. And also one of reasons, why I use only Latitudes in the past and Thinkpads now.