Why?

Posted Jul 16, 2025 20:15 UTC (Wed) by mb (subscriber, #50428)
Parent article: Linux and Secure Boot certificate expiration

What problem does boot certificate expiration solve? Why do these keys expire at all?

Why?

Posted Jul 16, 2025 22:56 UTC (Wed) by NYKevin (subscriber, #129325) [Link] (7 responses)

The purpose of any certificate expiring is nearly always the same: To protect against undetected compromise of the secret key.

(If you don't consider key compromise a Bad Thing, then the certificate is objectively worthless and provides no benefit, so you should not be checking it in the first place.)

Why?

Posted Jul 17, 2025 4:57 UTC (Thu) by kraxel (subscriber, #49444) [Link]

In firmware context the problem is that there is no time source available (other than the cmos real time clock which can be changed easily). So, yes, expiring certificates doesn't make much sense in this specific case. You can't create x509 certificates without expiry date though, so the firmware goes turn off time checks instead.

Why?

Posted Jul 17, 2025 6:17 UTC (Thu) by mb (subscriber, #50428) [Link] (3 responses)

Well, but does the expiration really solve anything in the context of booting the machine?

The key is not compromised but expired -> My machine is broken. -> Obviously bad.

The key is compromised and expired -> My machine is broken -> Why is that better than a booting the machine with a compromised key? It could show a warning about the expired key after booting instead. That would be useful for the user. But a broken machine is pretty much worst case useless and it basically protects me from nothing. A compromised key is *far* from an actually compromised machine.

Bricking the device at a specific expiry date is just a ticking time bomb.

(The problem with the clock has already been addressed in a parallel post. Thanks!)

Why?

Posted Jul 19, 2025 7:50 UTC (Sat) by epa (subscriber, #39769) [Link] (2 responses)

As I understand it from the article, device doesn’t become bricked when the certificate expires, but you can no longer change the OS that gets booted. (Though I don’t understand why it’s so)

Why?

Posted Jul 19, 2025 19:58 UTC (Sat) by raven667 (subscriber, #5198) [Link] (1 responses)

At the risk of getting this completely wrong because I didn't go back and re-read all the surrounding context, The firmware doesn't care about the validity timestamps because its not expected to have a reliable way to know what time it really is, but I think the issue is that new OS kernels will be signed by the 2023 key and not the 2011 key, so any system which only has the 2011 key and does not get updated to also have the 2023 key isn't going to be able to verify new things that are only signed by the 2023 key. The hardware vendor has their own key and can sign an update using their key to include the new 2023 key so both old and new stuff can be validated and Microsoft has signed an update for the 2023 key with the 2011 key so systems can validate it to load that key into the firmware key store, but at some point systems will need to be booted into the firmware EFI environment to add the key, if they want to keep the Secure Boot validation feature enabled and use new software or new add-in cards with EFI option roms.

If I've got the details wrong maybe someone will correct me ;-). My workstation already has 2023 keys according to the Firmware app as the vendor is still issuing updates which I apply regularly from lvfs, I'll have to check my personal machines though which I'll get around to eventually.

Why?

Posted Jul 21, 2025 8:12 UTC (Mon) by taladar (subscriber, #68407) [Link]

> Microsoft has signed an update for the 2023 key with the 2011 key

Wouldn't that make expiry even more pointless than it already is with a 12 year expiry time?

Why?

Posted Jul 17, 2025 8:45 UTC (Thu) by epa (subscriber, #39769) [Link]

If the certificate expires after a short time then it does provide some protection against the secret key being leaked. But after ten years? If the key were compromised then you could have years left to run. There's no way that could be adequate protection, if the key is guarding anything important.

Personal computing devices have a short lifespan and many could be nearly obsolete at ten years old. It would make more sense for the life of the certificate to match the life of the device. If you are still using the device after a couple of decades, it's clearly a museum piece by that point, and no purpose is served by having a certificate expire so you can no longer change the OS.

Why?

Posted Jul 17, 2025 15:00 UTC (Thu) by jem (subscriber, #24231) [Link]

I would say a more important reason for expiration is to protect against insecure algorithms. When issuing a certificate, you never know what the world looks like in five years, but if you don't limit the validity you can be sure the certificate is still in use after 10 years. Without an expiration data on certificates, we'd still have valid 512-bit certificates.

Why?

Posted Jul 17, 2025 18:03 UTC (Thu) by wtarreau (subscriber, #51152) [Link]

> What problem does boot certificate expiration solve? Why do these keys expire at all?

How do you want to force end-users to replace their hardware nowadays without this ? Hardware vendors are starving, 10+ year-old PCs are still very common in the field everywhere users just need something to access the net to check their bank account and do a few simple things (and who don't need windows 11 which already tried to force them to upgrade the PC until they realized they were still on windows 7 and have no care for programmed obsolescence).