|
|
Subscribe / Log in / New account

Installers

Installers

Posted Jul 17, 2025 11:00 UTC (Thu) by jengelh (guest, #33263)
In reply to: Installers by comex
Parent article: Linux and Secure Boot certificate expiration

Shouldn't firmwares allow you to manually input keys? Then you could add a current one, and then boot off a current OS.

to post comments

Installers

Posted Jul 18, 2025 6:50 UTC (Fri) by kraxel (subscriber, #49444) [Link]

Some firmwares offer that functionality somewhere in the firmware setup menus. Others do not. And even for those who do there is no standard way to do so, so it is pretty hard to support that workflow.

BTW: Microsoft has released signed DB updates which add the 2023 code signing keys meanwhile.
https://github.com/microsoft/secureboot_objects/tree/main...
They are signed with the old (2011) KEK key, so there is no need to enroll the new (2023) KEK key to apply those updates.

These can be applied by standard EFI variable updates, using the efi-updatevar utility for example. I expect fwupd will support that soon too.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds