Most active commenters

    ←back to thread

    Linux and Secure Boot certificate expiration

    (lwn.net)
    253 points pabs3 | 17 comments | 18 Jul 25 03:53 UTC | HN request time: 1.233s | source | bottom
    1. jmclnx ◴[19 Jul 25 12:47 UTC] No.44615067[source]
    And this is why I avoid and will always avoid "Secure Boot". I can see many newer Linux people being locked out starting in Sept.
    replies(3): >>44615474 #>>44616122 #>>44617464 #
    2. craftkiller ◴[19 Jul 25 13:50 UTC] No.44615474[source]
    Or you could just remove microsoft's keys from your systems and sign your bootloader with your own key. That's what I do on all of my systems so I am unimpacted by this.
    replies(3): >>44615574 #>>44616310 #>>44616568 #
    3. ekianjo ◴[19 Jul 25 14:05 UTC] No.44615574[source]
    do you have any source on how to do that?
    replies(2): >>44615682 #>>44615805 #
    4. craftkiller ◴[19 Jul 25 14:21 UTC] No.44615682{3}[source]
    I followed https://github.com/nix-community/lanzaboote/blob/master/docs... but naturally you don't want to include the `--microsoft` flag when running `sbctl enroll-keys` if you want to avoid microsoft keys. Also Lanzaboote is only for NixOS.
    5. marcthe12 ◴[19 Jul 25 14:35 UTC] No.44615805{3}[source]
    The arch wiki has the best source https://wiki.archlinux.org/title/Unified_Extensible_Firmware...

    Note sbctl is one of the easier tools to do this.

    6. willa_bombadier ◴[19 Jul 25 15:08 UTC] No.44616122[source]
    There should be some “Sane Usage” certification that a device doesn’t do secure boot, provides fully open and self-maintainable hardware, is independent of all external entities for ongoing use, provides hardware switches to turn off built-ins like ports, mics, and cameras, for power-savings and security.
    replies(2): >>44616412 #>>44616647 #
    7. josephcsible ◴[19 Jul 25 15:26 UTC] No.44616310[source]
    Sure, but that's a lot more work than just disabling Secure Boot, and for most people's threat models, there's zero actual security benefit gained in return.
    replies(1): >>44616363 #
    8. ◴[19 Jul 25 15:31 UTC] No.44616363{3}[source]
    9. pydry ◴[19 Jul 25 15:37 UTC] No.44616412[source]
    "Will this piss off or delight Microsoft?" is probably a thought that goes through the heads of many OEMs when they decide how to design their machines.
    replies(1): >>44616593 #
    10. brudgers ◴[19 Jul 25 15:55 UTC] No.44616568[source]
    Warning: Replacing the platform keys with your own can end up bricking hardware on some machines, including laptops, making it impossible to get into the firmware settings to rectify the situation. This is due to the fact that some device (e.g GPU) firmware (OpROMs), that get executed during boot, are signed using Microsoft 3rd Party UEFI CA certificate or vendor certificates. This is the case in many Lenovo Thinkpad X, P and T series laptops which uses the Lenovo CA certificate to sign UEFI applications and firmware.

    “Just” is doing a lot of heavy lifting in that solution.

    https://wiki.archlinux.org/title/Unified_Extensible_Firmware...

    11. msgodel ◴[19 Jul 25 15:58 UTC] No.44616593{3}[source]
    Weirdly Microsoft has been one of the companies ensuring Linux remains bootable on PCs.
    replies(2): >>44616764 #>>44616860 #
    12. bayindirh ◴[19 Jul 25 16:03 UTC] No.44616647[source]
    To be able to get Windows licenses and preload Windows on your system, put that little Windows sticker and sell your machine to the masses, you need a Windows Compatibility certificate, and that certificate needs you to have Secure Boot and enabled by default.
    replies(1): >>44616696 #
    13. salawat ◴[19 Jul 25 16:08 UTC] No.44616696{3}[source]
    Sounds anti-competitive as fuck to me. Maybe we should, I don't know; do something about companies using contractual requirements to lock key industrial into one way of doing things in order to shut down such efforts?
    replies(1): >>44617086 #
    14. bayindirh ◴[19 Jul 25 16:15 UTC] No.44616764{4}[source]
    Bill Gates famously asked: "Can we create a standard or expand something like ACPI, so Linux becomes unbootable on PCs?"

    So, believing this is very, very hard.

    15. pydry ◴[19 Jul 25 16:26 UTC] No.44616860{4}[source]
    Microsoft has been trying to tread a fine line between exerting subtle pressure on OEMs to make Linux annoying to boot so it doesnt become more popular and not violating the terms of its antitrust agreement.
    16. edoceo ◴[19 Jul 25 16:49 UTC] No.44617086{4}[source]
    What is the something we can do?
    17. lexicality ◴[19 Jul 25 17:30 UTC] No.44617464[source]
    Newer Linux people will presumably be using the new key though?