Linux users are about to face another major Microsoft Secure Boot issue

News
By published

A signing key supporting Secure Boot on Linux is about to expire

Close up of the Linux penguin.
(Image credit: Linux)
  • A signing key that many Linux distributions use to support Secure Boot is about to expire
  • Sytems that fail to recognize the new key might fail to boot Linux securely
  • Users might need to disable Secure Boot to install or run Linux

A signing key used to support Secure Boot on many Linux distros is about to expire, which could open up devices to all sorts of cybersecurity risks.

Secure Boot is a security feature built into modern computers. It is part of the Unified Extensible Firmware Interface (UEFI), which makes sure that only trusted software can run when the system starts up. This helps block malware such as bootkits, and it relies on digital signatures and keys stored in the computer’s firmware.

In short - UEFI boots up, checks the right software is in place, and hands things over to the operating system.

Locking the database down

Now, Microsoft has a signing key that many Linux distributions use to support Secure Boot, and that key is set to expire on September 11, 2025.

A replacement key has existed since 2023, but apparently - many systems don’t support it yet, and for those that don’t recognize the new key, it could mean Linux will not boot securely.

Fixing this problem requires firmware updates from original equipment manufacturers (OEM) but there is a risk that not all OEMs will issue updates - especially those for older, or less popular devices.

There is also a tool called “shim”, which some Linux distros use to work with Microsoft’s Secure Boot infrastructure. It is signed with Microsoft’s (soon-to-expire) key, and if it doesn’t get replaced on time, Secure Boot may break those distros entirely.

As a result, some users might need to disable Secure Boot to install or run Linux, while others may need to manually update firmware, or generate their own keys (which is rather complex and could be risky for those without extensive technical knowledge).

All of this could push people to either stick with Windows, or avoid Secure Boot entirely, which opens up an entirely new can of worms.

Via Tom's Hardware

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.