←back to thread

Linux and Secure Boot certificate expiration

(lwn.net)
253 points pabs3 | 2 comments | 18 Jul 25 03:53 UTC | HN request time: 0.429s | source
1. jeroenhd ◴[18 Jul 25 09:46 UTC] No.44602847[source]
I wonder what my laptop will do soon.

Lenovo, in their infinite wisdom, has decided to load an Nvidia blob signed by Microsoft before even being able to access the UEFI firmware interface. People who have tried to install their own secure boot keys found out the hard way that you can't even get into the firmware configuration interface to undo the change.

Their official workaround is to only load secure boot keys through their firmware interface (rather than the standard Linux utility) which refuses to wipe the certificate used to sign the Nvidia firmware. However, that workaround will obviously stop working when that certificate expires.

replies(1): >>44615538 #
2. craftkiller ◴[19 Jul 25 14:01 UTC] No.44615538[source]
The Framework laptop with the AMD 7840U works perfectly without any microsoft keys enrolled.

For your current laptop, you might be able to use the `--tpm-eventlog` to `sbctl enroll-keys` to enroll hashes of your OptionROM to whitelist that blob.