Linux users who have Secure Boot enabled on their systems knowingly or unknowingly rely on a ke [...]
  • SayCyberOnceMore@feddit.ukEnglish
    2·
    12 hours ago

    So, if I’ve not had a UEFI update in <years> to update the Secureboot cert, wouldn’t this affect any OS? Ie Windows too?

  • IHave69XiBucks@lemmygrad.ml
    8·
    21 hours ago

    There are very few times i will come out with something positive to say about a company, but i do have to say i have a Dell laptop from 2020, and to this day i get regular firmware updates via the gnome application storefront’s update utility from Dell. It is an enterprise machine that was originally sold with Ubuntu as an option which i believe is why. I don’t run Ubuntu but they just push the updates out to all linux distros that check for them i think. It’s really nice to have i just download it, reboot, and it installs the update in a few seconds. I even get to look at my pretty plymouth splash screen while it installs. So hopefully I’ll have the new key from that.

    • med@sh.itjust.worksEnglish
      7·
      14 hours ago

      The answer as always is, it depends.

      Not all implementations rely on shim.

      if you set up secureboot without doing anything more than instaling the OS… yeah probably it is true. Edit: e.g. GRUB2 generally relies on shim. sysemd-boot doesn’t

      I haven’t checked the specific key that signs shim to confirm the expiration date, but there generally is a date, as we’re talking about certs and keys here.

      Edit 2: Basically what this article is saying is that the machines will need a new platform key (mited in 2023) enrolled in the tpms, with often comes from the firmware (when tpms are wiped for initial enrollment of a new install/setup, they tend to enroll whatever platform keys from microsoft are baked in to the uefi firmware).

      So basically, if you haven’t had a bios/uefi firmware update since 2022, there’s no way for you to have have the new key trusted by your tpm, and the whole chain of trust falls apart when the key you do have expires. So you’ll need to disable secureboot. If you use shim and/or the microsoft platform key in someway.