The answer as always is, it depends.

Not all implementations rely on shim.

if you set up secureboot without doing anything more than instaling the OS… yeah probably it is true. Edit: e.g. GRUB2 generally relies on shim. sysemd-boot doesn’t

I haven’t checked the specific key that signs shim to confirm the expiration date, but there generally is a date, as we’re talking about certs and keys here.

Edit 2: Basically what this article is saying is that the machines will need a new platform key (mited in 2023) enrolled in the tpms, with often comes from the firmware (when tpms are wiped for initial enrollment of a new install/setup, they tend to enroll whatever platform keys from microsoft are baked in to the uefi firmware).

So basically, if you haven’t had a bios/uefi firmware update since 2022, there’s no way for you to have have the new key trusted by your tpm, and the whole chain of trust falls apart when the key you do have expires. So you’ll need to disable secureboot. If you use shim and/or the microsoft platform key in someway.

It’s real, but probably not an issue in practise.

If it does actually turn out to pose a problem, then just disable secure boot on those systems, not like it’s really securing anything at that point.