On Tue, Jul 8, 2025 at 8:45 PM Mateus Rodrigues Costa <mateusrodco...@gmail.com> wrote: > > Hello all, > > As you guys know Secure Boot is supported by Fedora Linux and it > relies on the Microsoft signing keys. > Well, recently I was looking at this month's Windows 11 cumulative > update and noticed this warning: > > Important: Secure Boot certificates used by most Windows devices are > set to expire starting in June 2026. This might affect the ability of > certain personal and business devices to boot securely if not updated > in time. To avoid disruption, we recommend reviewing the guidance and > taking action to update certificates in advance. For details and > preparation steps, see Windows Secure Boot certificate expiration and > CA updates. > > Which links to > https://support.microsoft.com/en-us/topic/windows-secure-boot-certificate-expiration-and-ca-updates-7ff40d33-95dc-4c3c-8725-a9b95457578e > > My question is if we as Fedora users should worry.... > > I guess that users with devices that actively receive BIOS updates > should receive a update with the new certificates included, but it's > unknown what will happen for devices that are basically out of > support. > > I believe that fwupd should be able to update that certificate, but at > least on my system the Microsoft certificate isn't shown on it (I > believe on a UEFI Secure Boot VM it's shown) > > Should we worry about this? > > For instance, my device, a Dell laptop, for which fwupd recognizes: > the firmware (which I update via a built in Bios flash utility), the > dbx (updated via fwupd) and a mysterious "Dell Platform Key", which > might be Microsoft's certificate along with some other Dell stuff. > > Is Linux ready for the Microsoft certificate expiring next year? >
I would guess varying degrees of "no." Distributions will need new shim builds signed with the "Microsoft Corporation UEFI CA 2023" certificate instead of the previous 2011 one that was introduced with Windows 8. It looks like the shim binaries on my system (Fedora 42) are still signed only with the 2011 CA certificate. Some digging indicates that Microsoft will not begin signing with the 2023 certificate until October: https://github.com/rhboot/shim-review/issues/454#issuecomment-3000727363 So for now, we all have to wait and there's nothing we can do. -- 真実はいつも一つ!/ Always, there's only one truth! -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
