←back to thread

Linux and Secure Boot certificate expiration

(lwn.net)
253 points pabs3 | 3 comments | 18 Jul 25 03:53 UTC | HN request time: 0.598s | source
Show context
jmclnx ◴[19 Jul 25 12:47 UTC] No.44615067[source]
And this is why I avoid and will always avoid "Secure Boot". I can see many newer Linux people being locked out starting in Sept.
replies(3): >>44615474 #>>44616122 #>>44617464 #
craftkiller ◴[19 Jul 25 13:50 UTC] No.44615474[source]
Or you could just remove microsoft's keys from your systems and sign your bootloader with your own key. That's what I do on all of my systems so I am unimpacted by this.
replies(3): >>44615574 #>>44616310 #>>44616568 #
1. ekianjo ◴[19 Jul 25 14:05 UTC] No.44615574[source]
do you have any source on how to do that?
replies(2): >>44615682 #>>44615805 #
2. craftkiller ◴[19 Jul 25 14:21 UTC] No.44615682[source]
I followed https://github.com/nix-community/lanzaboote/blob/master/docs... but naturally you don't want to include the `--microsoft` flag when running `sbctl enroll-keys` if you want to avoid microsoft keys. Also Lanzaboote is only for NixOS.
3. marcthe12 ◴[19 Jul 25 14:35 UTC] No.44615805[source]
The arch wiki has the best source https://wiki.archlinux.org/title/Unified_Extensible_Firmware...

Note sbctl is one of the easier tools to do this.