On Tue, Jul 08, 2025 at 09:44:54PM -0300, Mateus Rodrigues Costa wrote:
> Hello all,
> 
> As you guys know Secure Boot is supported by Fedora Linux and it
> relies on the Microsoft signing keys.
> Well, recently I was looking at this month's Windows 11 cumulative
> update and noticed this warning:
> 
> Important: Secure Boot certificates used by most Windows devices are
> set to expire starting in June 2026. This might affect the ability of
> certain personal and business devices to boot securely if not updated
> in time. To avoid disruption, we recommend reviewing the guidance and
> taking action to update certificates in advance. For details and
> preparation steps, see Windows Secure Boot certificate expiration and
> CA updates.
> 
> Which links to 
> https://support.microsoft.com/en-us/topic/windows-secure-boot-certificate-expiration-and-ca-updates-7ff40d33-95dc-4c3c-8725-a9b95457578e
> 
> My question is if we as Fedora users should worry....
> 
> I guess that users with devices that actively receive BIOS updates
> should receive a update with the new certificates included, but it's
> unknown what will happen for devices that are basically out of
> support.

We can assume that some HW will never receive BIOS updates, or
BIOS updates on a very slow/delayed schedule, hence the need for
fwupd to be able to deliver the new certs.

> I believe that fwupd should be able to update that certificate, but at
> least on my system the Microsoft certificate isn't shown on it (I
> believe on a UEFI Secure Boot VM it's shown)

Historically fwupd wasn't able to cope with this, but recent releases
have been enhanced to handle the updates that Linux users will need
to see, which should mitigate the worst of the impact. There's a
reasonable overview of the situation here:

   https://fwupd.github.io/libfwupdplugin/uefi-db.html

> Should we worry about this?

To some extent. Users should be "aware" of the potential for trouble,
but hopefully the worst of the "worry" part is handled by the OS vendors
and maintainers. 

> Is Linux ready for the Microsoft certificate expiring next year?

Even with the fwupd enhancements, users are still liable to see some level
of disruption. eg if new hardware /only/ has the new 2023 cert present,
no existing OS release will be able to install in SecureBoot mode.

I'm unclear if fwupd would push the /old/ SB certs out to new HW which
only has the new SB certs - i'm guessing probably not ?

Existing OS which are still under support will probably (hopefully) get
updates at some point, but there will be plenty of OS that are never
updated to be signed by new certs.

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

-- 
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to