←back to thread

Linux and Secure Boot certificate expiration

(lwn.net)
253 points pabs3 | 7 comments | 18 Jul 25 03:53 UTC | HN request time: 0s | source | bottom
Show context
londons_explore ◴[19 Jul 25 15:14 UTC] No.44616185[source]
Things that might not get updates shouldn't use the current date/time when checking certificates. Instead, they should see if the certificate would have been valid on the day the firmware was compiled (ie. behaviour will never change through the passage of time alone).
replies(2): >>44616291 #>>44616303 #
1. AnotherGoodName ◴[19 Jul 25 15:24 UTC] No.44616291[source]
Expired certificates should also at worst be a skippable warning. No one’s relying on certificates expiring for security. If you did you might have to wait many years for the expiration of a stolen certificate - lol!

It’s absolutely a minor “hey btw the certificate expired, check for an update” yet various systems treat certificate expiration as an end of the world lock it down scenario.

replies(2): >>44616578 #>>44620929 #
2. Tuna-Fish ◴[19 Jul 25 15:56 UTC] No.44616578[source]
Oh it's skippable all right. Just pull the cmos battery and wait a few seconds before putting it back in.
replies(2): >>44616658 #>>44618292 #
3. londons_explore ◴[19 Jul 25 16:04 UTC] No.44616658[source]
There's gonna be a bunch of linux users who write a shutdown script to set the date back to 2015 then poweroff... And at startup, reset the date back to today using the internet.

Sounds like a cleaner solution than any of the ones in the article too!

replies(1): >>44616824 #
4. Tuna-Fish ◴[19 Jul 25 16:22 UTC] No.44616824{3}[source]
That's risky, an unclean shutdown would require resetting the clock which is a bother.

It's much more likely that someone will write a driver that adds an offset to the clock, keeping the hw date in a safe range.

replies(1): >>44617117 #
5. homebrewer ◴[19 Jul 25 16:52 UTC] No.44617117{4}[source]
You can simply avoid adjusting the hardware clock. The kernel clock is not tied to it and can be modified separately. chrony can do that, for example.

https://wiki.archlinux.org/title/Chrony#Real-Time_Clock

6. andrewmcwatters ◴[19 Jul 25 18:55 UTC] No.44618292[source]
Infosec engineers hate this one trick!
7. charcircuit ◴[20 Jul 25 00:53 UTC] No.44620929[source]
>years for the expiration of a stolen certificate

Code signing certificates are trending down in length. Ot recently dropped down from a max of 39 months to about 15 months.