Secure boot and Microsoft CA rollover: a heads-up for distributions

by
Thom Holwerda
from OSnews on (#75TD4)

We've already talked about the secure boot certificates from Microsoft that are about to become invalid, but Debian EFI team member and longtime Debian contributor Steve McIntyre published a blog post with more information for users and distribution developers alike. Why are Microsoft's secure boot certificates relevant for the Linux world? Well, Linux distributions use shim to provide secure boot functionality, and this shim is signed with Microsoft's certificates, because they are included in just about every single computer or motherboard ever shipped.

The expiration of these oldest certificates should most likely not be a problem, as existing signed binaries should keep working. This is because the UEFI specification does not look at the expiration dates; it only cares that the signature is valid. Unless you have buggy firmware, your machine will continue to boot Linux just fine.

Microsoft is already handing out new certificates, but they started the rollout of these way too late, so that's why it's an actual issue today.

New machines and updated older machines will most likely have all of these new CAs installed. New machines are already shipping that only include the new CAs; they will not trust older software and this has already started causing problems for some users.

[...]

If you already have an old shim signed by Microsoft for your distribution from before October 2025, then it will only be signed using the older CA that expires soon. On newer machines, your users will already not be able to boot your distro with Secure Boot enabled.

If you want your users to be able to use Secure Boot in future, you will need to get a new shim build submitted, reviewed and signed using the new CA. However, that signed build will not work on older machines unless they have had the new CAs installed. This is also likely to cause problems for some users. You should encourage your users to update their systems NOW before things break for them.

Steve McIntyre

I think the Linux world will be able to handle this just fine, but the fact that Microsoft started this process of replacement so late is a real shame. I'm by no means an expert in this field, but I wonder if there isn't some better solution than relying on Microsoft. I understand their certificates will effectively always be installed on every motherboard, but shouldn't we be able to move that responsibility to a more independent entity?

External Content
Source RSS or Atom Feed
Feed Location http://www.osnews.com/files/recent.xml
Feed Title OSnews
Feed Link https://www.osnews.com/
Reply 0 comments