- A signing key that many Linux -Distributions use to support safe trunk is about to expire
- Sytems that do not recognize the new key cannot start Linux securely
- Users may need to disable Secure Boot to install or run Linux
A signing key used to support secure boot on many Linux -Distros is about to expire, which can open units for all sorts of cyber security risks.
Secure Boot is a security feature built into modern computers. It is part of the total extensible firmware interface (UEFI) that ensures that only trusted software can run when the system starts. This helps block malware like bootkits and it depends on digital signatures and keys stored in the computer’s firmware.
In short – UEFI starts up, checks the right software is in place and hand over things to the operating system.
Locking of the database
Now Microsoft has a signing key that many Linux distributions use to support the Secure Boot and that the key is set to expire on September 11, 2025.
A replacement key has been around since 2023, but apparently – many systems do not support it yet, and for those who do not recognize the new key, it may mean that Linux does not start safely.
Solving this problem requires firmware updates from original equipment manufacturers (OEM), but there is a risk that not all OEMs will issue updates – especially those to older or less popular devices.
There is also a tool called “Shim” that some Linux -Distros uses to work with Microsoft’s secure boot infrastructure. It is signed with Microsoft’s (soon triggered) key, and if it is not replaced on time, the Secure Boot may break these Distros completely.
As a result, some users may need to disable Secure Boot to install or run Linux, while others may need to manually update firmware or generate their own keys (which is rather complex and may be risky for them without extensive technical knowledge).
All this could push people to either stick to windows or avoid safe trunk completely, which opens a whole new can of worms.
Via Toms Hardware
