Linux users may face yet another hurdle related to Secure Boot when the Microsoft-signed key used by many distributions to support the firmware-based security feature expires on September 11, leaving users at the mercy of distribution from OEMs, and systems possibly not receiving a necessary firmware update.
As LWN reported (paywall) that Microsoft will stop using the expiring key to sign the shim in September. “But the replacement key, which has been available since 2023, may not be installed on many systems; worse yet, it may require the hardware vendor to issue an update for the system firmware, which may or may not happen,” LWN said. “It seems that the vast majority of systems will not be lost in the shuffle, but it may require extra work from distributors and users.”
The report said manufacturers could add support for the new key in a full firmware update or by updating the KEK database. The former assumes that manufacturers would be interested in distributing a firmware update for a wide variety of products so a small percentage of their users could use Secure Boot with a non-Windows OS; the latter is an unproven mechanism that isn’t guaranteed to work on all devices. Both seem likely to leave at least some people to figure out a solution on their own.
Then it can’t be booted with new media. Microsoft has been very, very slow with the automatic rollout of their own key updates, and made just about no progress over the past two years. It’s been manual updates + newly produced systems only.
The trick here is that they have a key-exchange-key that can be used to update the other keys. That doesn’t expire (or rather, not in a meaningful way). But, a Windows image is still only going to boot on a system that trusts the key that was used for it. If you make a Windows image on a 2011 system now, it’s going to be signed with the 2011 key, and it won’t boot on a system that distrusts that key. The same is true in reverse.
Their key update documentation is all available and some enterprises have been on the new key for a while, but it’s a lot of manual work and a lot of problems have popped up, most documented in there. How they’re going to roll this out automatically to normal users isn’t obvious to me. There’s technically nothing stopping a system from trusting both the 2011 and 2023 keys, and I wouldn’t be entirely surprised if they end up never pushing the 2011 revocation.
The keys they use for their own OS don’t truly expire until late 2026, and I expect they’ll do their best to delay it until then, but the next time they have to update their boot manager is going to be painful and introduce all kinds of new problems.
Thanks for the explanation.