Linux users may face yet another hurdle related to Secure Boot when the Microsoft-signed key used by many distributions to support the firmware-based security feature expires on September 11, leaving users at the mercy of distribution from OEMs, and systems possibly not receiving a necessary firmware update.

As LWN reported (paywall) that Microsoft will stop using the expiring key to sign the shim in September. “But the replacement key, which has been available since 2023, may not be installed on many systems; worse yet, it may require the hardware vendor to issue an update for the system firmware, which may or may not happen,” LWN said. “It seems that the vast majority of systems will not be lost in the shuffle, but it may require extra work from distributors and users.”

The report said manufacturers could add support for the new key in a full firmware update or by updating the KEK database. The former assumes that manufacturers would be interested in distributing a firmware update for a wide variety of products so a small percentage of their users could use Secure Boot with a non-Windows OS; the latter is an unproven mechanism that isn’t guaranteed to work on all devices. Both seem likely to leave at least some people to figure out a solution on their own.

  • CallMeAnAI@lemmy.world
    link
    fedilink
    arrow-up
    6
    arrow-down
    26
    ·
    3 months ago

    Works fine for me and the billions of business using it 🤷‍♂️

    Same thing for all the trusted certs at the os level.

    • lime!@feddit.nu
      link
      fedilink
      English
      arrow-up
      20
      ·
      3 months ago

      it works, yeah, but it only does so because of microsoft, and they don’t want to let anyone else in.

      • CallMeAnAI@lemmy.world
        link
        fedilink
        arrow-up
        6
        arrow-down
        17
        ·
        3 months ago

        You’re an idiot if you think you’re privacy would be better off without trusted root certs and businesss taking liability around protecting them 🤷‍♂️

        • Lucy :3@feddit.org
          link
          fedilink
          arrow-up
          2
          ·
          edit-2
          3 months ago

          You’re an idiot for trusting anyone. Especially entities whose only purpose is to generate revenue and serve fascists.

          • CallMeAnAI@lemmy.world
            link
            fedilink
            arrow-up
            1
            arrow-down
            2
            ·
            3 months ago

            It blows my mind how many folks on Lemmy have no clue how the Internet is run. Just wow 🤯

            • Lucy :3@feddit.org
              link
              fedilink
              arrow-up
              1
              ·
              3 months ago

              I know how it’s run, and I know that it’s shit. You mean just because something exists it’s suddenly good and all? Are we not allowed to criticize and remove risks as much as possible?

              • CallMeAnAI@lemmy.world
                link
                fedilink
                arrow-up
                1
                arrow-down
                1
                ·
                3 months ago

                What’s your viable alternative? Everyone running their own CA and getting their own root certs trusted without centralization?