Larvitz  Jul 20, 2025

Some Linux users might be interested, reading about this (Subscriber link, that bypasses the Paywall, since I find this information important to spread for awareness):

https://lwn.net/SubscriberLink/1029767/0a550f0972703141/

β€žLinux users who have Secure Boot enabled on their systems knowingly or unknowingly rely on a key from Microsoft that is set to expire in September. After that point, Microsoft will no longer use that key to sign the shim first-stage UEFI bootloader that is used by Linux distributions to boot the kernel with Secure Boot. But the replacement key, which has been available since 2023, may not be installed on many systems; worse yet, it may require the hardware vendor to issue an update for the system firmware, which may or may not happen.β€œ

#linux #secureboot #microsoft #security #servicetweet

Linux and Secure Boot certificate expiration

Linux users who have Secure Boot enabled on their systems knowingly or unknowingly rely on a ke [...]

LWN.net
Show threadRachael Ava πŸ’πŸ»β€β™€οΈJul 20, 2025

@Larvitz Maybe I should think about updating the firmware on my ASUS motherboard so I can keep using Secure Boot to make sure my Arch Linux UKIs won't be tampered with easily. I haven't updated the BIOS since it was flashed by the manufacturer since updating the firmware is always risky.

My threat model assumes I'm not being specifically targeted by the government, since I'm not a priority to them. They have bigger fish to fry with better payouts for them. I'm just trying to keep my head down low until I can move out of the US.

Show threadLarvitz  Jul 20, 2025

@RachaelAva1024 For security reasons, BIOS updates are generally a good idea. Especially after there were so many cpu/microcode related security issues in recent years.

I use up to date firmware, secure boot with self-enrolled keys (self signed bootloader and kernel), plus full-disk-encryption): https://burningboard.net/@Larvitz/114885834236734756

Larvitz :fedora: :redhat: (@[email protected])

Attached: 1 image System Security (ThinkPad T14s Gen4 AMD Ryzen) - Untainted Kernel in Lockdown mode - Secure boot active with modern signature - All modern security features active - Full-Disk-Encryption with key on physical SmartCard from @[email protected]) (With modern UEFI CA, because of the upcoming key replacement: https://burningboard.net/@Larvitz/114884582215696742) #security #fwupd #thinkpad #linux #secureboot

Burningboard.net πŸ‡©πŸ‡ͺ πŸ‡ͺπŸ‡Ί
Show threadRachael Ava πŸ’πŸ»β€β™€οΈJul 20, 2025
@Larvitz I'd like to be able to have CoreBoot, but I don't think there's support for this board. My next laptop is going to be a System76 Darter Pro laptop, with CoreBoot and a disabled Intel ME, plus a TPM 2.0 module, so there will be plenty room for experimentation on keeping my system secure. I'm gonna try to get Secure Boot with fully self-signed keys, TPM-backed LUKS passphrase, and possibly use my Nitrokey for something, maybe user login.
Show threadLarvitz  

@RachaelAva1024 I have a Lenovo T14s Gen4 AMD with recent firmware for Linux. That one unfortunately can't run CoreBoot.

My Lenovo T480, running a FreeBSD desktop does run LibreBoot (fork of CoreBoot imho) and also uses SecureBoot.

I have the Keys for my LUKS disk-encryption stored on a NitroKey 3 USB smartcard device, that is PIN protected.

Jul 20, 2025 at 6:01pmWeb