|
|
Subscribe / Log in / New account

Old hardware?

Old hardware?

Posted Jul 18, 2025 4:55 UTC (Fri) by pabs (subscriber, #43278)
Parent article: Linux and Secure Boot certificate expiration

What happens with old hardware where the vendor isn't in LVFS and no longer provides any manual firmware updates?

Will Microsoft be providing per-vendor KEK updates to LVFS for those devices?

Or will such folks just have to boot in BIOS mode, or with Secure Boot disabled, if they can do that and can figure out how to do that?

Distros generally don't enable dual BIOS + UEFI booting on installed systems, so there are going to be a number of confused folks at some point.

to post comments

Old hardware?

Posted Jul 18, 2025 13:57 UTC (Fri) by pjones (subscriber, #31722) [Link] (1 responses)

> What happens with old hardware where the vendor isn't in LVFS and no longer provides any manual firmware updates?

Microsoft is sharing their partners' certificate updates with us for both the vendor-signed KEK updates and the MS KEK-signed db updates. So for the vendors that are competent enough to actually be able to sign KEK updates, and therefore don't need firmware updates for that, those will still be in LVFS even if the vendor doesn't provide firmware updates there.

Old hardware?

Posted Jul 18, 2025 23:39 UTC (Fri) by pabs (subscriber, #43278) [Link]

So hardware with vendors who went out of business before now, or with incompetent vendors, will need to disable SecureBoot permanently. And hardware that wasn't updated before the expiry will need to temporarily disable SecureBoot to do the update, and then re-enable it. Is that correct?

Old hardware?

Posted Jul 19, 2025 8:30 UTC (Sat) by linuxtardis (guest, #178362) [Link]

You may still be able to manually load the new Microsoft KEK into UEFI through the Setup UI even without it being signed by the vendor's platform key. In [1] they have the KEK certificate ("Microsoft Corporation KEK 2K CA 2023") and the Owner GUID that has to be entered into UEFI. I remember doing something similar to make my ThinkPad trust some helper utilities signed by me (I had to add my own signing key to the laptop's UEFI "db").

You may also be able to install the new "db" certificate that Microsoft will likely use to sign shim in the future. In [1] it is the "Microsoft UEFI CA 2023" certificate. This is IMO the more important certificate in the short-term, as adding it will allow you to run newly signed bootloaders. Luckily, this is also the certificate that LVFS can potentially update even without the help from vendors. This is because the update package for this certificate is already published and is signed by the old, commonly trusted Microsoft KEK (see [2]).

[1]: https://learn.microsoft.com/en-us/windows-hardware/manufa...
[2]: https://github.com/microsoft/secureboot_objects/blob/main...


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds