←back to thread

Linux and Secure Boot certificate expiration

(lwn.net)
253 points pabs3 | 1 comments | 18 Jul 25 03:53 UTC | HN request time: 0.21s | source
Show context
jmclnx ◴[19 Jul 25 12:47 UTC] No.44615067[source]
And this is why I avoid and will always avoid "Secure Boot". I can see many newer Linux people being locked out starting in Sept.
replies(3): >>44615474 #>>44616122 #>>44617464 #
craftkiller ◴[19 Jul 25 13:50 UTC] No.44615474[source]
Or you could just remove microsoft's keys from your systems and sign your bootloader with your own key. That's what I do on all of my systems so I am unimpacted by this.
replies(3): >>44615574 #>>44616310 #>>44616568 #
1. brudgers ◴[19 Jul 25 15:55 UTC] No.44616568[source]
Warning: Replacing the platform keys with your own can end up bricking hardware on some machines, including laptops, making it impossible to get into the firmware settings to rectify the situation. This is due to the fact that some device (e.g GPU) firmware (OpROMs), that get executed during boot, are signed using Microsoft 3rd Party UEFI CA certificate or vendor certificates. This is the case in many Lenovo Thinkpad X, P and T series laptops which uses the Lenovo CA certificate to sign UEFI applications and firmware.

“Just” is doing a lot of heavy lifting in that solution.

https://wiki.archlinux.org/title/Unified_Extensible_Firmware...