What about custom keys?

Posted Jul 16, 2025 18:53 UTC (Wed) by das_j (subscriber, #143082)
Parent article: Linux and Secure Boot certificate expiration

> Linux users who have Secure Boot enabled on their systems knowingly or unknowingly rely on a key from Microsoft that is set to expire in September

That sounds like a really general statement which is surprising to me. I'm not sure how this is handled on other distributions, but for NixOS, for example, people mostly use sbctl to upload the keys to the UEFI. Is that not more common?

What about custom keys?

Posted Jul 16, 2025 19:11 UTC (Wed) by daroc (editor, #160859) [Link]

I have locally generated SecureBoot keys that I use on my computers, but my anecdotal impression is that it's not common. For the first decade or so that I used Linux, I relied on whatever it was my distribution was doing by default.

For the case of installers, though, it's sort of a chicken and egg problem, and an additional barrier to new users who may not be familiar with all the details.

What about custom keys?

Posted Jul 16, 2025 19:20 UTC (Wed) by heftig (subscriber, #73632) [Link]

No, it's rare. The overwhelming number of Linux installs with Secure Boot enabled use the shim because it does not require the user to put the system into Secure Boot's setup mode.

What about custom keys?

Posted Jul 21, 2025 20:01 UTC (Mon) by kelnos (subscriber, #174370) [Link]

I expect not. The vast majority of people likely just use the pre-signed shim provided by their distro and don't bother with it. I know I don't bother with it.