←back to thread

Linux and Secure Boot certificate expiration

(lwn.net)
253 points pabs3 | 7 comments | 18 Jul 25 03:53 UTC | HN request time: 0.02s | source | bottom
Show context
jmclnx ◴[19 Jul 25 12:47 UTC] No.44615067[source]
And this is why I avoid and will always avoid "Secure Boot". I can see many newer Linux people being locked out starting in Sept.
replies(3): >>44615474 #>>44616122 #>>44617464 #
1. craftkiller ◴[19 Jul 25 13:50 UTC] No.44615474[source]
Or you could just remove microsoft's keys from your systems and sign your bootloader with your own key. That's what I do on all of my systems so I am unimpacted by this.
replies(3): >>44615574 #>>44616310 #>>44616568 #
2. ekianjo ◴[19 Jul 25 14:05 UTC] No.44615574[source]
do you have any source on how to do that?
replies(2): >>44615682 #>>44615805 #
3. craftkiller ◴[19 Jul 25 14:21 UTC] No.44615682[source]
I followed https://github.com/nix-community/lanzaboote/blob/master/docs... but naturally you don't want to include the `--microsoft` flag when running `sbctl enroll-keys` if you want to avoid microsoft keys. Also Lanzaboote is only for NixOS.
4. marcthe12 ◴[19 Jul 25 14:35 UTC] No.44615805[source]
The arch wiki has the best source https://wiki.archlinux.org/title/Unified_Extensible_Firmware...

Note sbctl is one of the easier tools to do this.

5. josephcsible ◴[19 Jul 25 15:26 UTC] No.44616310[source]
Sure, but that's a lot more work than just disabling Secure Boot, and for most people's threat models, there's zero actual security benefit gained in return.
replies(1): >>44616363 #
6. ◴[19 Jul 25 15:31 UTC] No.44616363[source]
7. brudgers ◴[19 Jul 25 15:55 UTC] No.44616568[source]
Warning: Replacing the platform keys with your own can end up bricking hardware on some machines, including laptops, making it impossible to get into the firmware settings to rectify the situation. This is due to the fact that some device (e.g GPU) firmware (OpROMs), that get executed during boot, are signed using Microsoft 3rd Party UEFI CA certificate or vendor certificates. This is the case in many Lenovo Thinkpad X, P and T series laptops which uses the Lenovo CA certificate to sign UEFI applications and firmware.

“Just” is doing a lot of heavy lifting in that solution.

https://wiki.archlinux.org/title/Unified_Extensible_Firmware...