Linux users who have Secure Boot enabled on their systems knowingly or unknowingly rely on a key from Microsoft that is set to expire in September. After that point, Microsoft will no longer use that key to sign the shim first-stage UEFI bootloader that is used by Linux distributions to boot the kernel with Secure Boot. But the replacement key, which has been available since 2023, may not be installed on many systems; worse yet, it may require the hardware vendor to issue an update for the system firmware, which may or may not happen. It seems that the vast majority of systems will not be lost in the shuffle, but it may require extra work from distributors and users.
I thought it was a Microsoft centric thing in that the certificate authority was either Microsoft or signed by Microsoft?
Maybe I need to read about it more? Can you direct me to the general area?
Microsoft’s keys are pre-installed to all motherboards, so boot binaries signed by Microsoft are trusted by default. afaik Microsoft keys often can’t be removed, but not because it’s not possible, but because it can brick devices. you can create your own MOK or Machine Owner Keys and set up your linux system to sign your bootloader and kernel with it, but that is in addition to Microsoft keys.
https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot
Thank-you. Recently rebuilt my Arch Rescue build and saw that section in doing the UKI dance.
I don’t mind the Microsoft keys being there at all. I just don’t think tying myself to them is particularly clever.
From your final part. I think I need to go back and reread it. Thank-you again.