Microsoft's Secure Boot UEFI bootloader signing key expires in September, posing problems for Linux users
A new key was issued in 2023, but it might not be well-supported ahead of the original key's expiration.
Linux users may face yet another hurdle related to Secure Boot when the Microsoft-signed key used by many distributions to support the firmware-based security feature expires on September 11, leaving users at the mercy of distribution from OEMs, and systems possibly not receiving a necessary firmware update.
Let's start with a quick overview of what Secure Boot is. It's part of the Unified Extensible Firmware Interface (UEFI) that has replaced the Basic Input/Output System (BIOS) on modern systems. (Although it's still often referred to as the BIOS by enthusiasts and manufacturers.) Microsoft's knowledge base article about the feature explains that it "is a security standard developed by members of the PC industry to help make sure that a device boots using only software that is trusted by the [manufacturer]."
It's up to manufacturers to make sure "the signature database (db), revoked signatures database (dbx), and Key Enrollment Key database (KEK)" are "stored on the firmware nonvolatile RAM (NV-RAM) at manufacturing time." The manufacturer then "locks the firmware from editing, except for updates that are signed with the correct key or updates by a physically present user who is using firmware menus, then generates a platform key (PK) [...] used to sign updates to the KEK or to turn off Secure Boot."
None of those requirements preclude the installation of non-Windows operating systems. Most devices ship with Microsoft's OS pre-installed, however, which means installing something else first requires someone to disable Secure Boot. (Which assumes they're aware of the existence of the UEFI/BIOS, how to navigate it, and how to change its boot settings.) The question then becomes whether or not the installed OS allows Secure Boot to be re-enabled after it's been installed alongside or instead of Windows.
That leaves operating system distributors with a decision to make: omitting Secure Boot support entirely; expecting users to generate and sign their own keys; or finding a way to use the Microsoft-controlled db, dbx, and KEK to enable Secure Boot in their own systems. NetBSD, OpenBSD, and some of their more esoteric counterparts settled on the first option, while some Linux distributions and FreeBSD opted for the third by using a "shim" to build their Secure Boot support on top of Microsoft's infrastructure.
Now that we have that out of the way: LWN reported (paywall) that Microsoft will stop using the expiring key to sign the shim in September. "But the replacement key, which has been available since 2023, may not be installed on many systems; worse yet, it may require the hardware vendor to issue an update for the system firmware, which may or may not happen," LWN said. "It seems that the vast majority of systems will not be lost in the shuffle, but it may require extra work from distributors and users."
The report said manufacturers could add support for the new key in a full firmware update or by updating the KEK database. The former assumes that manufacturers would be interested in distributing a firmware update for a wide variety of products so a small percentage of their users could use Secure Boot with a non-Windows OS; the latter is an unproven mechanism that isn't guaranteed to work on all devices. Both seem likely to leave at least some people to figure out a solution on their own.
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
All this for a feature with numerous vulnerabilities that have been both widespread (see: BootHole, BlackLotus, both PDFs) and limited to motherboards from specific manufacturers (see: MSI, Gigabyte). Addressing the system's flaws isn't always a welcome development, either, since they have been exploited to allow people to install Windows 11 on systems lacking a Trusted Platform Module (TPM) 2.0, as they don't want to be stuck on Windows 10 but also don't want to buy new hardware.
It's easy to see the appeal of Secure Boot—making it more difficult to install bootkits should be a net positive. However, the looming hassle of dealing with this expiring key is just the latest in a series of frustrations that encourage people to either stick with Windows or disable Secure Boot entirely. Right now, many people opt for the former, but will that continue to be the case as the popularity of other platforms rises ahead of Windows 10's demise? And is Secure Boot, as it currently exists, prepared for that shift?
Follow Tom's Hardware on Google News to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button.
Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.
-
ezst036 What does one do to check if their UEFI/BIOS and their distro will be problematic in September?Reply -
bigdragon Where is this September expiration date coming from? The Microsoft UEFI CA 2011 certificate doesn't expire until June 2026.Reply
This really should be an easy transition. All Microsoft needs to do is use their KEK to sign a command to update Secure Boot with the new 2023 DB certificate. Yes, their 2011 KEK will expire in 2026 too, but we won't have to worry about this again until 2037. A firmware update is not needed to install the 2023 DB certificate -- only the 2023 KEK certificate. -
VerboortTech And this is a problem? Just clear out the default Microsoft keys, stick the public key for your favorite Linux vendor on a USB thumb drive, and register that key. As a side effect, this will prevent you from "accidentally" booting Windows by mistake.Reply -
jackt when win10 ends ? maybe ms hopes to prevent the migration to Linux, with some confusion ? making it harder to install linux ? they will release a new key with a little delay ? lol they are pathetic :LOL:Reply -
jackt Reply
disable secure boot in bios. but then u have to reinstall/refresh the bootloader ? idkezst036 said:What does one do to check if their UEFI/BIOS and their distro will be problematic in September?
edit: remove encryption before!
edit2: always backup anyway! -
hwertz Reply
To be honest that was my first thought too. I do think these signing keys were done up like 10 or 15 years ago though.jackt said:when win10 ends ? maybe ms hopes to prevent the migration to Linux, with some confusion ? making it harder to install linux ? they will release a new key with a little delay ? lol they are pathetic :LOL:
I will point out, the root certificate authorities for secure boot are Microsoft (for booting Windows again) and Microsoft again (a seperate root authority for signing 'other' things than Windows.) This isn't some industry spec, it's spec'ed by Microsoft and was implemented by vendors because they made it mandatory for 'designed for Windows 8' computers.
I'll note (besides the stated security reasons for Secure Boot), it was also originally a ploy by Microsoft to prevent installing other OSes on the PC you own. They originally did not have that second certificate authority, no plans to sign bootloaders etc. as they do now, and being able to go into setup and add keys was optional (and in reality the expectation was that systems would probably just 'neglect' to implement this). See the original Surface RT (from around 2012)... you could run Windows RT and only Windows RT on it because of SecureBoot being implemented to Microsoft's original specifications. Someone actually just sorted out a way to get a better OS on these within the last couple years -- the Nintendo Switch and the Surface both use Nvidia Tegra ARM CPUs and some Switch exploit turned out to work on the Surface.