←back to thread

Linux and Secure Boot certificate expiration

(lwn.net)
253 points pabs3 | 1 comments | 18 Jul 25 03:53 UTC | HN request time: 0s | source
Show context
mkj ◴[18 Jul 25 07:23 UTC] No.44602124[source]
It's not just Linux - certificates to sign Windows are also affected in 2026.

https://support.microsoft.com/en-us/topic/windows-secure-boo...

https://techcommunity.microsoft.com/blog/windows-itpro-blog/...

Really it seems like having any expiry date for these certificates is a mistake. The one thing it might protect against is a compromised signing key, but if you have to wait 15 years for a compromised key to stop being valid, it's not very useful!

Don't worry, the replacement MS certs expire in 2038 (a couple of months after the 32-bit unix time rollover).

replies(5): >>44602428 #>>44602690 #>>44602733 #>>44602895 #>>44617707 #
jeroenhd ◴[18 Jul 25 09:24 UTC] No.44602733[source]
The mistake was not to put an expiry date on the certificates, but to trust hardware vendors to do even basic firmware maintenance after motherboards and laptops leave the warehouse.

In theory a KEK update will fix the expiry issue just like a CA package update on any normal operating system will do.

In practice, most UEFI firmware is written like trash, unmaintained, and mostly untested.

replies(5): >>44603271 #>>44603290 #>>44603448 #>>44603660 #>>44604239 #
numpad0 ◴[18 Jul 25 11:23 UTC] No.44603448[source]
There is no basic firmware maintenance to do. Firmware is supposed to be properly engineered, immutable, still to this day sometimes physically wired as 1s and 0s. It doesn't make sense to have expiry dates carved in stone.
replies(1): >>44604056 #
jeroenhd ◴[18 Jul 25 12:41 UTC] No.44604056[source]
Firmware needs maintenance because unless you're doing stuff for the aerospace industry, you're not mathematically proving that your firmware is bug-free. Eventually someone will need to install updates.

Well-written firmware doesn't need to be updated for the key database to get updated. However, some vendors messed up and now require firmware updates, while others simply store the new key in NVRAM.

replies(1): >>44606371 #
danudey ◴[18 Jul 25 16:09 UTC] No.44606371[source]
Not to mention that firmware updates are often necessary for things like supporting new CPUs. Immutable firmware means that your system can never improve or expand to support new hardware, and I would hate to have to buy a new motherboard to support a new CPU.
replies(1): >>44615419 #
numpad0 ◴[19 Jul 25 13:43 UTC] No.44615419[source]
You shouldn't need new improved proprietary software to support new hardware, that's just wrong. They're just bundling free apps into hardware at that point.

"New CPU needs a new software" shouldn't be an excuse to just let CPUs becoming its own computer with the real CPU you're paying for as one of many features. That's just fundamentally wrong.

replies(1): >>44617950 #
josephg ◴[19 Jul 25 18:17 UTC] No.44617950{3}[source]
That is reality though. It happens all the time.

Modern computers are distributed systems of components. Each component has its own cpu and OS running in firmware. And they talk over the system bus.

replies(1): >>44618380 #
rolph ◴[19 Jul 25 19:08 UTC] No.44618380{4}[source]
it seems like you are talking about hardware controllers, vs CPUs.
replies(1): >>44621912 #
1. pabs3 ◴[20 Jul 25 04:14 UTC] No.44621912{5}[source]
Those are still processors, just like CPUs, but slower.