Microsoft's UEFI Secure Boot signing key is set to expire in September, potentially causing complications for Linux users.
The impending expiration of Microsoft's Secure Boot signing key, scheduled for September 2025, could potentially cause boot issues for Linux users who rely on Secure Boot. However, the impact varies depending on hardware vendor support and firmware updates provided by Original Equipment Manufacturers (OEMs).
Impact on Linux Users and OEM Distributions
Many Linux distributions utilise Microsoft's key to sign their shim bootloader, enabling Secure Boot compatibility. Once the current key expires, it will no longer sign shim or related boot components, potentially causing boot failures on affected machines. OEMs control the firmware key databases stored in the system’s nonvolatile memory and are responsible for deploying firmware updates with new keys, which may or may not arrive in a timely or widespread manner.
How Linux Distributions can Address the Issue
Linux distributors must coordinate with hardware manufacturers and the Linux Vendor Firmware Service (LVFS) to help push firmware updates containing the new keys to users. Distributors may provide users with updated shim binaries signed with the new key, but hardware firmware updates by OEMs are necessary to recognise those keys. Tools like fwupd and LVFS facilitate firmware updates from Linux systems, helping mitigate the problem by enabling easier firmware update deployment.
Raising awareness within the Linux community and encouraging users to verify firmware updates and Secure Boot key updates is crucial. Alternative approaches such as disabling Secure Boot or enrolling user/custom keys may serve as temporary workarounds, but they are less convenient and secure.
Additional Context
Some reports have suggested that fears about the key expiration impact are overstated and alarmist, implying that many users may not experience immediate problems depending on hardware and firmware vendor responses. Enterprises and IT professionals are advised to proactively inventory firmware versions and plan firmware updates in advance of key expiration dates to avoid unexpected disruptions.
In summary, Microsoft’s Secure Boot signing key expiration poses a notable challenge for Linux users dependent on Secure Boot, especially on systems that do not receive timely firmware updates from OEMs. Linux distributions can partially mitigate this by shipping updated shim binaries and leveraging tools like LVFS for firmware updates, but widespread OEM support is essential for a smooth transition. Users should stay informed about firmware updates for their devices and be prepared to manage Secure Boot keys accordingly.
[1] LWN.net (2023). Microsoft to stop signing Secure Boot key for Linux distributions [2] The Register (2023). Microsoft's Secure Boot key for Linux to expire in September [3] The H (2023). Microsoft's Secure Boot Key for Linux Distributions to Expire in September [4] TechTarget (2023). Microsoft's Secure Boot key for Linux to expire in September [5] ZDNet (2023). Microsoft's Secure Boot key for Linux to expire in September, but it's no cause for alarm
Data-and-cloud-computing technology plays a critical role in Secure Boot, as Microsoft's key is used by Linux distributions to sign their shim bootloader, ensuring compatibility with Secure Boot.
Linux users and Original Equipment Manufacturers (OEMs) must collaborate to address the challenge presented by the upcoming expiration of Microsoft's Secure Boot signing key, ensuring that firmware updates with new keys are provided in a timely and widespread manner for a smooth transition.
