Larvitz  Jul 20, 2025

Some Linux users might be interested, reading about this (Subscriber link, that bypasses the Paywall, since I find this information important to spread for awareness):

https://lwn.net/SubscriberLink/1029767/0a550f0972703141/

„Linux users who have Secure Boot enabled on their systems knowingly or unknowingly rely on a key from Microsoft that is set to expire in September. After that point, Microsoft will no longer use that key to sign the shim first-stage UEFI bootloader that is used by Linux distributions to boot the kernel with Secure Boot. But the replacement key, which has been available since 2023, may not be installed on many systems; worse yet, it may require the hardware vendor to issue an update for the system firmware, which may or may not happen.“

#linux #secureboot #microsoft #security #servicetweet

Linux and Secure Boot certificate expiration

Linux users who have Secure Boot enabled on their systems knowingly or unknowingly rely on a ke [...]

LWN.net
Show threadHowToPhil (Phillip R)Jul 20, 2025
@Larvitz And that's why "secure boot" is bullshit and has always been part of planned obsolescence
Show threadMirrorJul 20, 2025
@howtophil @Larvitz you're supposed to install updates from time to time, you know?
Show threadLisPiJul 20, 2025
@voice @howtophil @Larvitz You're supposed to be using your own keys and not some corposcum's.

Except that a) some broken hardware doesn't allow this and b) tooling to do so is very unfriendly even when it's an option.
Show threadMirrorJul 21, 2025
@lispi314 @Larvitz @howtophil and I actually do. My computers has no enrolled CA other than mine.

a) you should blame manufacturer. This is the same kind of issue as broken CPU support or broken ACPI.
b) sbctl is pretty convenient.
Show threadLisPi
@voice @howtophil @Larvitz The first unfortunately does very little in part due to industry consolidation and in part due to not enough people caring.

It legitimately should be something consumer protection in various countries should be poking at, but they mostly don't.

sbctl isn't too bad for someone like me, but it's not exactly within reach of lowest-hanging fruit users.

A quick look at the project shows well-enough to use it manually, though I find myself uncertain how to tie it into dracut or mkinitramfs so one doesn't get stuck with an unbootable system after a kernel update.
Jul 21, 2025 at 6:39amWeb
Show threadMirrorJul 21, 2025
@lispi314 @Larvitz @howtophil if you choose to install an OS by yourself then it's your responsibility to secure it with SB or any other technology available. I don't know any vendor who actively prohibits it. More over, ability to enroll custom certificates is mandatory requirement by Microsoft.
Show threadMirrorJul 21, 2025
@lispi314 @Larvitz @howtophil
> A quick look at the project shows well-enough to use it manually, though I find myself uncertain how to tie it into dracut or mkinitramfs so one doesn't get stuck with an unbootable system after a kernel update.
On Arch it uses hooks to run every time related boot files are updated.