Neal Gompa venit, vidit, dixit 2025-07-09 03:22:40: > On Tue, Jul 8, 2025 at 8:45 PM Mateus Rodrigues Costa > <mateusrodco...@gmail.com> wrote: > > > > Hello all, > > > > As you guys know Secure Boot is supported by Fedora Linux and it > > relies on the Microsoft signing keys. > > Well, recently I was looking at this month's Windows 11 cumulative > > update and noticed this warning: > > > > Important: Secure Boot certificates used by most Windows devices are > > set to expire starting in June 2026. This might affect the ability of > > certain personal and business devices to boot securely if not updated > > in time. To avoid disruption, we recommend reviewing the guidance and > > taking action to update certificates in advance. For details and > > preparation steps, see Windows Secure Boot certificate expiration and > > CA updates. > > > > Which links to > > https://support.microsoft.com/en-us/topic/windows-secure-boot-certificate-expiration-and-ca-updates-7ff40d33-95dc-4c3c-8725-a9b95457578e > > > > My question is if we as Fedora users should worry.... > > > > I guess that users with devices that actively receive BIOS updates > > should receive a update with the new certificates included, but it's > > unknown what will happen for devices that are basically out of > > support. > > > > I believe that fwupd should be able to update that certificate, but at > > least on my system the Microsoft certificate isn't shown on it (I > > believe on a UEFI Secure Boot VM it's shown) > > > > Should we worry about this? > > > > For instance, my device, a Dell laptop, for which fwupd recognizes: > > the firmware (which I update via a built in Bios flash utility), the > > dbx (updated via fwupd) and a mysterious "Dell Platform Key", which > > might be Microsoft's certificate along with some other Dell stuff. > > > > Is Linux ready for the Microsoft certificate expiring next year? > > > > I would guess varying degrees of "no." Distributions will need new > shim builds signed with the "Microsoft Corporation UEFI CA 2023" > certificate instead of the previous 2011 one that was introduced with > Windows 8. It looks like the shim binaries on my system (Fedora 42) > are still signed only with the 2011 CA certificate. > > Some digging indicates that Microsoft will not begin signing with the > 2023 certificate until October: > https://github.com/rhboot/shim-review/issues/454#issuecomment-3000727363 > > So for now, we all have to wait and there's nothing we can do.
Yes and no. The OP's concern seems to be whether old devices even receive the new CA certificate, and rightly so. It would have to be distributed *before* MS signs shims with it, or else the signature can't be validated. And that becomes a problem if it's the only signature. Now, users *can* add CA certificates (to a different part of the store). Some of us do that to sign self-compiled kernel modules. So, in order to keep those machines on secure-boot which don't receive vendor (lfvs) updates anymore, we could do two things: 1 Add the new MS CA manually (i.e. tell users how to, or help with a package/script). [I don't know whether we can, both technically and legally - I assume we'd need the public key only which should be fine.] 2 Cross-sign the shim with our (Fedora's) own CA certificate and do the same as 1. No legal hurdles there, and potentially better path forward: It would allow users to potentially dump MS's key and trust Fedora's signing process only. Cheers Michael -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
