Microsoft's Secure Boot UEFI bootloader signing key expires in September, posing problems for Linux users

Key on computer chip
(Image credit: Shutterstock)

Linux users may face yet another hurdle related to Secure Boot when the Microsoft-signed key used by many distributions to support the firmware-based security feature expires on September 11, leaving users at the mercy of distribution from OEMs, and systems possibly not receiving a necessary firmware update.

Let's start with a quick overview of what Secure Boot is. It's part of the Unified Extensible Firmware Interface (UEFI) that has replaced the Basic Input/Output System (BIOS) on modern systems. (Although it's still often referred to as the BIOS by enthusiasts and manufacturers.) Microsoft's knowledge base article about the feature explains that it "is a security standard developed by members of the PC industry to help make sure that a device boots using only software that is trusted by the [manufacturer]."

It's easy to see the appeal of Secure Boot—making it more difficult to install bootkits should be a net positive. However, the looming hassle of dealing with this expiring key is just the latest in a series of frustrations that encourage people to either stick with Windows or disable Secure Boot entirely. Right now, many people opt for the former, but will that continue to be the case as the popularity of other platforms rises ahead of Windows 10's demise? And is Secure Boot, as it currently exists, prepared for that shift?

Follow Tom's Hardware on Google News to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button.

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

  • usertests
    A trash system that was always intended to embrace, extend, and extinguish.
    Reply
  • DS426
    Microsoft's Secure Boot key expires on 9-11? I don't know if that's irony or not...
    Reply
  • ezst036
    What does one do to check if their UEFI/BIOS and their distro will be problematic in September?
    Reply
  • S58_is_the_goat
    Linux user: time to switch to windows I guess...
    Reply
  • bigdragon
    Where is this September expiration date coming from? The Microsoft UEFI CA 2011 certificate doesn't expire until June 2026.

    This really should be an easy transition. All Microsoft needs to do is use their KEK to sign a command to update Secure Boot with the new 2023 DB certificate. Yes, their 2011 KEK will expire in 2026 too, but we won't have to worry about this again until 2037. A firmware update is not needed to install the 2023 DB certificate -- only the 2023 KEK certificate.
    Reply
  • VerboortTech
    And this is a problem? Just clear out the default Microsoft keys, stick the public key for your favorite Linux vendor on a USB thumb drive, and register that key. As a side effect, this will prevent you from "accidentally" booting Windows by mistake.
    Reply
  • hwertz
    Thank goodness I disabled secure boot.
    Reply
  • jackt
    when win10 ends ? maybe ms hopes to prevent the migration to Linux, with some confusion ? making it harder to install linux ? they will release a new key with a little delay ? lol they are pathetic :LOL:
    Reply
  • jackt
    ezst036 said:
    What does one do to check if their UEFI/BIOS and their distro will be problematic in September?
    disable secure boot in bios. but then u have to reinstall/refresh the bootloader ? idk
    edit: remove encryption before!
    edit2: always backup anyway!
    Reply
  • hwertz
    jackt said:
    when win10 ends ? maybe ms hopes to prevent the migration to Linux, with some confusion ? making it harder to install linux ? they will release a new key with a little delay ? lol they are pathetic :LOL:
    To be honest that was my first thought too. I do think these signing keys were done up like 10 or 15 years ago though.

    I will point out, the root certificate authorities for secure boot are Microsoft (for booting Windows again) and Microsoft again (a seperate root authority for signing 'other' things than Windows.) This isn't some industry spec, it's spec'ed by Microsoft and was implemented by vendors because they made it mandatory for 'designed for Windows 8' computers.

    I'll note (besides the stated security reasons for Secure Boot), it was also originally a ploy by Microsoft to prevent installing other OSes on the PC you own. They originally did not have that second certificate authority, no plans to sign bootloaders etc. as they do now, and being able to go into setup and add keys was optional (and in reality the expectation was that systems would probably just 'neglect' to implement this). See the original Surface RT (from around 2012)... you could run Windows RT and only Windows RT on it because of SecureBoot being implemented to Microsoft's original specifications. Someone actually just sorted out a way to get a better OS on these within the last couple years -- the Nintendo Switch and the Surface both use Nvidia Tegra ARM CPUs and some Switch exploit turned out to work on the Surface.
    Reply