- A signature key that many Linux distributions use to admit Secure Boot is about to expire
- Sytems that does not recognize the new key may not start Linux safely
- It is possible that users need to disable safe start to install or run Linux
A signature key used to admit the safe start in many Linux distributions is about to expire, which could open devices to all types of cybersecurity risks.
Secure Boot is an integrated security feature in modern computers. It is part of the unified extendable firmware interface (UEFI), which ensures that only trust software can be executed when the system begins. This helps block malware such as bootkits, and is based on firms and digital keys stored in computer firmware.
In summary, UEFI Bots UP, verifies the correct software and delivers things to the operating system.
Blocking the downstream database
Now, Microsoft has a signature key that many Linux distributions use to admit Secure Boot, and that key expires on September 11, 2025.
There was a replacement key since 2023, but apparently, many systems have not yet admitted it, and for those who do not recognize the new key, it could mean that Linux will not start safely.
The repair of this problem requires firmware updates of the original equipment manufacturers (OEM), but there is a risk that not all OEM will emit updates, especially those for greater or less popular devices.
There is also a tool called “Shim”, which some Linux distributions use to work with Microsoft’s safe boot infrastructure. It is signed with the Microsoft key (which soon to expire), and if it is not replaced in time, Secure Boot can break those distributions completely.
As a result, some users may need to disable safe start to install or execute Linux, while others may need to manually update the firmware or generate their own keys (which is quite complex and could be risky for those without a wide technical knowledge).
All this could push people to stay with windows or avoid safe start, which opens a completely new can of worms.
Through Tom hardware
