Press X to doubt

Posted Jul 17, 2025 15:32 UTC (Thu) by pjones (subscriber, #31722)
In reply to: Press X to doubt by kraxel
Parent article: Linux and Secure Boot certificate expiration

You're right, but also the reason for this is that it's neither helpful nor at all reasonable for anything to check the validation windows on certs in Secure Boot, for two reasons.

One is that it doesn't help guarantee any security - the general threat being protected against is compromised administrative accounts escalating to have any of several more advanced forms of persistence. In that kind of attack, the attacker has total control of the clock. Also, RTCs drift quite badly or even reset sometimes without power, and often (especially on servers) need to be corrected during the first OS installation or boot.

But also it's not just OSes - if the validation window is honored, then on 27-Jun-2026 (or whenever an RTC drifts sufficiently during shipping) option ROMs on PCIe video cards, NICs, and HBAs all stop POSTing.

It'd be a total disaster.

Press X to doubt

Posted Jul 19, 2025 13:51 UTC (Sat) by patrakov (subscriber, #97174) [Link]

I am not sure about the date. As far as I understand, option ROMs are signed using the same key as the shim.