Secure boot can’t fail due to expired certificates if it’s already disabled…
All the more reason to buy your computers from companies that support Linux in the first place - like Slimbook and System 76.
I know System76 doesn’t support Secure boot. I’m not sure about Slimbook.
I wish they would ship a open UEFI implementation with customizable Secure boot keys.
Another thing to watch out for is fake third-party utilities that will claim they will fix this problem. Unless directly provided from an official Distro itself and is verified, be careful what you download and install.
This is a golden opportunity for malicious actors to get bad code into systems.
Nah, don’t use it. Secure boot is tainted by Microsoft 🤮
My bios doesn’t need to know what year it is
For you and me, that’s fine, but for little johnny first time, it’s adding friction and new points of failure that push the whole idea further away from their comfort zone.
It could be argued that Microsoft knows this and is deliberately weaponizing peoples insecurities to keep them in line.
Also, “Been available since 2023” means Microsoft gave distros 2-3 years to implement the new signing keys. Yet they’ll give themselves decades between signing and updating their own root certificates.
Example: on my work machine, “Microsoft RSA Root Certificate Authority 2017” is valid from 2019 to 2042. It’s valid for 25 years, but it took Microsoft 2 whole years to deploy the certificate within it’s own structure, specifically to get all the relevant sign-offs needed to issue the cert.
In case it helps: I just got an update for “Microsoft UEFI CA” on my computer running Fedora KDE 42, from “Firmware Updates (lvfs)”. Check your software centre.
Nit knowing secure boot all that well, why isn’t there an option in BIOS (I know, I know) to upload the new key manually? That really cannot be that hard…