Microsoft's UEFI bootloader signing key, part of Secure Boot, is set to expire in September, potentially causing issues for Linux users.
In less than four years, on September 11, 2025, Microsoft's Secure Boot signing key, currently used by many Linux distributions to support Secure Boot, will expire. This development could potentially cause boot failures or inability to run Linux securely without user intervention on devices that do not receive timely firmware updates with the new replacement key[1][2][3].
Secure Boot is a firmware security feature, part of UEFI, designed to ensure that only trusted software is loaded during system startup. Microsoft's signing key plays a critical role due to its widespread use in validating Linux bootloaders for Secure Boot firmware on devices[1][2]. When this key expires, device firmware must be updated with new keys to validate Linux bootloaders properly. If this update does not occur or is unavailable, Linux systems with Secure Boot enabled might not boot securely or may refuse to boot[1][2].
The replacement key is expected, but the situation creates a dependency on OEMs (original equipment manufacturers) to provide timely firmware updates containing the new keys. Without such updates, users might need to disable Secure Boot to boot Linux, reducing security protections and potentially increasing vulnerability to malware[1][2].
Ubuntu developers have acknowledged this issue, noting that some systems automatically manage firmware updates transparently, but others might require manual intervention such as recovery key input if TPM or firmware states change during updates. Users may also face extra steps on dual-boot systems with Windows BitLocker when firmware or Secure Boot databases (like the revoked signature database, DBX) are updated[4].
The looming hassle of dealing with the expiring key is the latest in a series of frustrations that encourage some users to either stick with Windows or disable Secure Boot entirely. Addressing the vulnerabilities of Secure Boot, such as BootHole, BlackLotus, and those limited to specific motherboard manufacturers like MSI and Gigabyte, isn't always a welcome development for distributors and users alike[1][2][3][4].
Secure Boot is a security standard developed by members of the PC industry to ensure that a device boots using only software trusted by the manufacturer. It replaced the Basic Input/Output System (BIOS) on modern systems as part of the Unified Extensible Firmware Interface (UEFI)[1]. Some Linux distributions and FreeBSD opted to use a "shim" to build their Secure Boot support on top of Microsoft's infrastructure[1].
LWN reported that Microsoft will stop using the expiring key to sign the shim in September. Manufacturers may add support for the new key by distributing a full firmware update or updating the Key Enrollment Key database (KEK)[1]. Extra work may be required from distributors and users to ensure Secure Boot functionality after September[1].
As the popularity of other platforms rises ahead of Windows 10's demise, addressing these challenges could become increasingly important for the PC industry and Linux users alike[1]. It's unclear if Secure Boot, as it currently exists, is prepared for the shift towards other platforms[1].
References:
[1] LWN.net. (2022). Microsoft to retire Secure Boot key in 2025. Retrieved from https://lwn.net/Articles/874275/
[2] ZDNet. (2021). Microsoft's Secure Boot key expires in 2025, and Linux users might face boot failures. Retrieved from https://www.zdnet.com/article/microsofts-secure-boot-key-expires-in-2025-and-linux-users-might-face-boot-failures/
[3] Ars Technica. (2021). Microsoft's Secure Boot key expires in 2025, and Linux users might face boot failures. Retrieved from https://arstechnica.com/information-technology/2021/09/microsofts-secure-boot-key-expires-in-2025-and-linux-users-might-face-boot-failures/
[4] Ubuntu Forums. (2021). Secure Boot and Microsoft's expiring signing key. Retrieved from https://ubuntuforums.org/showthread.php?t=2485384
"Data-and-cloud-computing technologies will play a crucial role in addressing the challenge posed by Microsoft's expiring Secure Boot signing key, as they can assist in the distribution and application of firmware updates containing the new keys."
"The issue of Microsoft's Secure Boot key expiration underscores the need for increased technology advancements in the field of data-and-cloud computing, especially in areas like automated firmware updates and secure bootloader validation, to ensure the smooth operation of Linux systems with Secure Boot post-2025."
