Larvitz  Jul 20, 2025

Some Linux users might be interested, reading about this (Subscriber link, that bypasses the Paywall, since I find this information important to spread for awareness):

https://lwn.net/SubscriberLink/1029767/0a550f0972703141/

„Linux users who have Secure Boot enabled on their systems knowingly or unknowingly rely on a key from Microsoft that is set to expire in September. After that point, Microsoft will no longer use that key to sign the shim first-stage UEFI bootloader that is used by Linux distributions to boot the kernel with Secure Boot. But the replacement key, which has been available since 2023, may not be installed on many systems; worse yet, it may require the hardware vendor to issue an update for the system firmware, which may or may not happen.“

#linux #secureboot #microsoft #security #servicetweet

Linux and Secure Boot certificate expiration

Linux users who have Secure Boot enabled on their systems knowingly or unknowingly rely on a ke [...]

LWN.net
Show threadHowToPhil (Phillip R)Jul 20, 2025
@Larvitz And that's why "secure boot" is bullshit and has always been part of planned obsolescence
Show threadMirrorJul 20, 2025
@howtophil @Larvitz you're supposed to install updates from time to time, you know?
Show threadHowToPhil (Phillip R)Jul 20, 2025
@[email protected] @Larvitz You're supposed to decide the software you run on your hardware and not beg a random corporation to allow you to run what you want, you know?
Show threadMirrorJul 20, 2025
@howtophil @Larvitz then enroll your keys or disable it, lol.
Show threadHowToPhil (Phillip R)
@[email protected] @Larvitz Secure boot is a scam and everyone should disable it
Jul 20, 2025 at 2:40pmWeb
Show threadMirrorJul 20, 2025
@howtophil @Larvitz
> I don't understand it and that's why you should kill it with fire
Ok.
Show threadHowToPhil (Phillip R)Jul 20, 2025
@[email protected] @Larvitz I do understand secure boot, and I KNOW it's about nothing more than corporate control of your hardware and forced obsolescence.
Show threadMirrorJul 20, 2025
@howtophil @Larvitz you're obviously don't, silly conspirologist.
Show threadLarvitz  Jul 20, 2025

@howtophil @voice

1st: You can always disable secure-boot in UEFI.

2nd: You can enroll your own pubkey and sign your boot-loader/kernel yourself.
You can even remove the MS-Key from your UEFI and be entirely independent from any corporation.

3rd: The MS-CA is basically just convinience, so that you don't *need* to do bullet point No. 2 and there's a central party for signing for consumer hardware.

A secure boot process with a safe chain-of-trust is crucial, if you want secure computing.

And nodoby is forcing you to use it. It's optional. (I do use it. I use it with my own keys, together with full-disk-encryption as a safety measure. see https://burningboard.net/@Larvitz/114885834236734756)

Larvitz :fedora: :redhat: (@[email protected])

Attached: 1 image System Security (ThinkPad T14s Gen4 AMD Ryzen) - Untainted Kernel in Lockdown mode - Secure boot active with modern signature - All modern security features active - Full-Disk-Encryption with key on physical SmartCard from @[email protected]) (With modern UEFI CA, because of the upcoming key replacement: https://burningboard.net/@Larvitz/114884582215696742) #security #fwupd #thinkpad #linux #secureboot

Burningboard.net 🇩🇪 🇪🇺
Show threadFLOX AdvocateJul 20, 2025
@Larvitz @howtophil @Voice anyone have good guides for 1 and 2 ( disable UEFI and enrolling your own pubkey ) for those unfamiliar with the intricacies of the whole thing?
Show threadnepiJul 20, 2025
@FLOX_advocate @Larvitz @howtophil @voice 1 will vary based on the laptop. In most UEFIs it’s where you configure boot devices.

For 2, Linux-surface has a decent overview, the tldr is they’re x509 certificates and you use “mokutil” github.com/linux-surface/linux-surface/wiki/Secure-Boot
Secure Boot

Linux Kernel for Surface Devices. Contribute to linux-surface/linux-surface development by creating an account on GitHub.

GitHub
Show threadBel PolarisJul 21, 2025
@Larvitz @howtophil @[email protected] @FLOX_advocate

The Arch Linux wiki has a pretty comprehensive article about UEFI and secure boot - including how to enroll your own keys and possible gotchas.

https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Implementing_Secure_Boot
Unified Extensible Firmware Interface/Secure Boot - ArchWiki