Mastodawn

Lexi& / Zoe Jul 21, 2025

Some Linux users might be interested, reading about this (Subscriber link, that bypasses the Paywall, since I find this information important to spread for awareness):

https://lwn.net/SubscriberLink/1029767/0a550f0972703141/

„Linux users who have Secure Boot enabled on their systems knowingly or unknowingly rely on a key from Microsoft that is set to expire in September. After that point, Microsoft will no longer use that key to sign the shim first-stage UEFI bootloader that is used by Linux distributions to boot the kernel with Secure Boot. But the replacement key, which has been available since 2023, may not be installed on many systems; worse yet, it may require the hardware vendor to issue an update for the system firmware, which may or may not happen.“

#linux #secureboot #microsoft #security #servicetweet

Linux and Secure Boot certificate expiration

Linux users who have Secure Boot enabled on their systems knowingly or unknowingly rely on a ke [...]

LWN.net

Christoph Schmees Jul 20, 2025

So what? Switch SB off and you're done. SB was invented by M$ to mitigate design faults in UEFI and in Windows. Linux doesn't need it.

#secureboot #microsoft #linux #uefi

@PC_Fluesterer ack. I just wanted to spread awareness. Not everyone knows about the expiration this September and might be wondering why systems fail to boot then.

🏳️‍🌈🎃🇧🇷Luana🇧🇷🎃🏳️‍🌈Jul 20, 2025

@PC_Fluesterer @Larvitz me when I spread misinformation on the internet

Zło To 🏴‍☠️ ᵗʰʳᵉᵉᶠᶦᵈᵈʸ Jul 20, 2025

@Larvitz Can't fathom why would hardware vendors think it was a good idea to leave it to microsoft...

HowToPhil (Phillip R)Jul 20, 2025

@Larvitz And that's why "secure boot" is bullshit and has always been part of planned obsolescence

Mirror Jul 20, 2025

@howtophil @Larvitz you're supposed to install updates from time to time, you know?

HowToPhil (Phillip R)Jul 20, 2025

@[email protected] @Larvitz You're supposed to decide the software you run on your hardware and not beg a random corporation to allow you to run what you want, you know?

Mirror Jul 20, 2025

@howtophil @Larvitz then enroll your keys or disable it, lol.

HowToPhil (Phillip R)Jul 20, 2025

@[email protected] @Larvitz Secure boot is a scam and everyone should disable it

Mirror Jul 20, 2025

@howtophil @Larvitz
> I don't understand it and that's why you should kill it with fire
Ok.

HowToPhil (Phillip R)Jul 20, 2025

@[email protected] @Larvitz I do understand secure boot, and I KNOW it's about nothing more than corporate control of your hardware and forced obsolescence.

Mirror Jul 20, 2025

@howtophil @Larvitz you're obviously don't, silly conspirologist.

@howtophil @voice

1st: You can always disable secure-boot in UEFI.

2nd: You can enroll your own pubkey and sign your boot-loader/kernel yourself.
You can even remove the MS-Key from your UEFI and be entirely independent from any corporation.

3rd: The MS-CA is basically just convinience, so that you don't *need* to do bullet point No. 2 and there's a central party for signing for consumer hardware.

A secure boot process with a safe chain-of-trust is crucial, if you want secure computing.

And nodoby is forcing you to use it. It's optional. (I do use it. I use it with my own keys, together with full-disk-encryption as a safety measure. see https://burningboard.net/@Larvitz/114885834236734756)

Larvitz :fedora: :redhat: (@[email protected])

Attached: 1 image System Security (ThinkPad T14s Gen4 AMD Ryzen) - Untainted Kernel in Lockdown mode - Secure boot active with modern signature - All modern security features active - Full-Disk-Encryption with key on physical SmartCard from @[email protected]) (With modern UEFI CA, because of the upcoming key replacement: https://burningboard.net/@Larvitz/114884582215696742) #security #fwupd #thinkpad #linux #secureboot

Burningboard.net 🇩🇪 🇪🇺

FLOX Advocate Jul 20, 2025

@Larvitz @howtophil @Voice anyone have good guides for 1 and 2 ( disable UEFI and enrolling your own pubkey ) for those unfamiliar with the intricacies of the whole thing?

nepi Jul 20, 2025

@FLOX_advocate @Larvitz @howtophil @voice 1 will vary based on the laptop. In most UEFIs it’s where you configure boot devices.

For 2, Linux-surface has a decent overview, the tldr is they’re x509 certificates and you use “mokutil” github.com/linux-surface/linux-surface/wiki/Secure-Boot

Secure Boot

Linux Kernel for Surface Devices. Contribute to linux-surface/linux-surface development by creating an account on GitHub.

GitHub

Bel Polaris Jul 21, 2025

@Larvitz @howtophil @[email protected] @FLOX_advocate

The Arch Linux wiki has a pretty comprehensive article about UEFI and secure boot - including how to enroll your own keys and possible gotchas.

https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot#Implementing_Secure_Boot

Unified Extensible Firmware Interface/Secure Boot - ArchWiki

HowToPhil (Phillip R)Jul 20, 2025

@[email protected] Also, read the article.

Mirror Jul 20, 2025

@howtophil I read it even before this thread started.

HowToPhil (Phillip R)Jul 20, 2025

@[email protected] You clearly missed several key points, or you didn't understand it. You should re-read it.

Mirror Jul 20, 2025

@howtophil you should take your pills.

LisPi Jul 20, 2025

@voice @howtophil @Larvitz You're supposed to be using your own keys and not some corposcum's.

Except that a) some broken hardware doesn't allow this and b) tooling to do so is very unfriendly even when it's an option.

Mirror Jul 21, 2025

@lispi314 @Larvitz @howtophil and I actually do. My computers has no enrolled CA other than mine.

a) you should blame manufacturer. This is the same kind of issue as broken CPU support or broken ACPI.
b) sbctl is pretty convenient.

LisPi Jul 21, 2025

@voice @howtophil @Larvitz The first unfortunately does very little in part due to industry consolidation and in part due to not enough people caring.

It legitimately should be something consumer protection in various countries should be poking at, but they mostly don't.

sbctl isn't too bad for someone like me, but it's not exactly within reach of lowest-hanging fruit users.

A quick look at the project shows well-enough to use it manually, though I find myself uncertain how to tie it into dracut or mkinitramfs so one doesn't get stuck with an unbootable system after a kernel update.

Mirror Jul 21, 2025

@lispi314 @Larvitz @howtophil if you choose to install an OS by yourself then it's your responsibility to secure it with SB or any other technology available. I don't know any vendor who actively prohibits it. More over, ability to enroll custom certificates is mandatory requirement by Microsoft.

Mirror Jul 21, 2025

@lispi314 @Larvitz @howtophil
> A quick look at the project shows well-enough to use it manually, though I find myself uncertain how to tie it into dracut or mkinitramfs so one doesn't get stuck with an unbootable system after a kernel update.
On Arch it uses hooks to run every time related boot files are updated.

@voice @Larvitz @howtophil except if you use anything other than Windows, firmware updates have a tendency to just break a bunch of shit, especially if you’re in a situation like me and had to enable debug settings and change options I’m not supposed to even see just to get my laptop working properly with Linux

like, trust me, I actually avoid installing any UEFI updates for no reason other than “everything UEFI on this laptop is built on a house of cards that an UEFI update is likely to wreck”

@voice @Larvitz @howtophil oh, also, UEFI updates are not issued indefinitely

I have a couple old laptops that are still perfectly usable with Linux today, but their OEMs stopped providing firmware updates years ago, more than a decade ago for one laptop

LisPi Jul 20, 2025

@voice @howtophil @Reiddragon @Larvitz This is part of what should lead to Free/Libre firmware and public publication of hardware documentation on abandonment by upstream.

It is inexcusable for something to become e-waste simply because some corporation has decided it doesn't feel like maintaining support anymore.

@lispi314 @Larvitz @howtophil @voice something something it’s Stop Killing Games but about hardware because surprise, this shit happens everywhere in tech!

(also shameless self promotion as I wrote about it like 2 weeks ago https://reiddragon.neocities.org/blog/articles/stop-killing-games-and-why-its-not-enough/ )

Stop Killing Games, and why it's not enough | Reiddragon's Nerd Cave

LisPi Jul 20, 2025

@Reiddragon @voice @howtophil @Larvitz Killing games at least /usually/ didn't count as an ecological disaster.

Of course now with always-online consoles? Yeah, it just might qualify too.

@lispi314 @Larvitz @howtophil @voice tbh the core of the issue is the same, whether we’re talking about always-online games, smart home shit that depends on the OEM’s servers for most of its functionality (like a lot of smart cameras), or regular phones and computers becoming ewaste when official support is officially cut or when support just slowly fades away and the hardware is left to bitrot as nothing runs on it anymore after years of neglect from the OEM

"Wish the sun to stand still.." 🌞Jul 21, 2025

@Reiddragon "if you use anything other than Windows, firmware updates have a tendency to just break a bunch of shit"

A lot of Linux drivers are from reverse-engineering guesswork, and most Linux users don't care. There is exactly one distro that has anywhere near a respectable HCL, and I've waited decades for that situation to improve.

@tasket “sure this is bad, but did you know this other thing is also bad?”

doesn’t matter, this is completely irrelevant to my point

reverse engineered drivers ain’t perfect, but once they’re somewhat working you can expect them to just get better on a given piece of hardware. When the UEFI is actively hostile to anything other than Windows, an update can easily break functionality, especially if you had to delve into some hidden settings like you have to to get sleep working on a lot of newer laptops (Lenovo doesn’t show the setting to switch to proper sleep instead of the “modern standby” bs, you have to enable debug mode which exposes a bunch of poorly documented (bootleg famiclone manual English) settings that are almost guaranteed to NOT stay unchanged on UEFI updates, and are actually quite likely to be removed on an update)

Mirror Jul 21, 2025

@Reiddragon @Larvitz @howtophil afaik certificates and revocation lists are separate from the firmware updates, but not really sure because using SB with microsoft third party ca is pointless anyway.

This is sad. And also one of reasons, why I use only Latitudes in the past and Thinkpads now.

@howtophil @Larvitz trusted computing has always been more about corporations being able to trust your computer, and making it a pain in the ass to use something they can’t trust like Linux or BSDs, because they don’t bend to their every whim like Windows or macOS do

LionelB Jul 20, 2025

@starlabssystems

bbₜᵤₓᵢ Jul 20, 2025

to check:

mokutil --sb-state

🇩🇪Jul 20, 2025

@Larvitz secure boot was always a pain to deal with. Sadly you can't just remove it after installing with it.

Ein Philosophiker Jul 20, 2025

@Larvitz In #Microsoft trust - you're always lost

🏳️‍🌈🎃🇧🇷Luana🇧🇷🎃🏳️‍🌈Jul 20, 2025

@Larvitz mine’s self-signed :3

Rachael Ava 💁🏻‍♀️Jul 20, 2025

@Larvitz Maybe I should think about updating the firmware on my ASUS motherboard so I can keep using Secure Boot to make sure my Arch Linux UKIs won't be tampered with easily. I haven't updated the BIOS since it was flashed by the manufacturer since updating the firmware is always risky.

My threat model assumes I'm not being specifically targeted by the government, since I'm not a priority to them. They have bigger fish to fry with better payouts for them. I'm just trying to keep my head down low until I can move out of the US.

@RachaelAva1024 For security reasons, BIOS updates are generally a good idea. Especially after there were so many cpu/microcode related security issues in recent years.

I use up to date firmware, secure boot with self-enrolled keys (self signed bootloader and kernel), plus full-disk-encryption): https://burningboard.net/@Larvitz/114885834236734756

Larvitz :fedora: :redhat: (@[email protected])

Attached: 1 image System Security (ThinkPad T14s Gen4 AMD Ryzen) - Untainted Kernel in Lockdown mode - Secure boot active with modern signature - All modern security features active - Full-Disk-Encryption with key on physical SmartCard from @[email protected]) (With modern UEFI CA, because of the upcoming key replacement: https://burningboard.net/@Larvitz/114884582215696742) #security #fwupd #thinkpad #linux #secureboot

Burningboard.net 🇩🇪 🇪🇺

Rachael Ava 💁🏻‍♀️Jul 20, 2025

@Larvitz I'd like to be able to have CoreBoot, but I don't think there's support for this board. My next laptop is going to be a System76 Darter Pro laptop, with CoreBoot and a disabled Intel ME, plus a TPM 2.0 module, so there will be plenty room for experimentation on keeping my system secure. I'm gonna try to get Secure Boot with fully self-signed keys, TPM-backed LUKS passphrase, and possibly use my Nitrokey for something, maybe user login.

@RachaelAva1024 I have a Lenovo T14s Gen4 AMD with recent firmware for Linux. That one unfortunately can't run CoreBoot.

My Lenovo T480, running a FreeBSD desktop does run LibreBoot (fork of CoreBoot imho) and also uses SecureBoot.

I have the Keys for my LUKS disk-encryption stored on a NitroKey 3 USB smartcard device, that is PIN protected.

🌴 Seph 💭 👾Jul 20, 2025

@Larvitz Huh, interesting, I seem to remember having to turn off Secure Boot before I could boot from the stick I was using for the install, I hope that's right so I don't have to worry about this.

vriska, thief of light

@Larvitz important note, the LWN article only talks about Linux because that's their target audience but this affects Windows just as much

vriska, thief of light

@Larvitz my (possibly incorrect) understanding from some mailing list posts is that in theory all existing firmware versions will have their keys updated via either Windows Update or fwupd, and new firmware versions will have the new keys baked in, and Microsoft's been working with the fwupd developers to ensure that for the former case LVFS has all the same keys as Windows Update. the problem comes in for installing new OSes on old machines, as well as machines where the manufacturer no longer exists or lost access to their signing keys

@leo in theory, you’re right. Just not every vendor did adhere to that and some need uefi firmware updates (if those even are available. I have a Chinese brand mainboard in some mini-NAS pc where the last one was from 2018 and the uefi ca is baked in. But at least I can just disable secure boot altogether)