Linux users may face yet another hurdle related to Secure Boot when the Microsoft-signed key used by many distributions to support the firmware-based security feature expires on September 11, leaving users at the mercy of distribution from OEMs, and systems possibly not receiving a necessary firmware update.
As LWN reported (paywall) that Microsoft will stop using the expiring key to sign the shim in September. “But the replacement key, which has been available since 2023, may not be installed on many systems; worse yet, it may require the hardware vendor to issue an update for the system firmware, which may or may not happen,” LWN said. “It seems that the vast majority of systems will not be lost in the shuffle, but it may require extra work from distributors and users.”
The report said manufacturers could add support for the new key in a full firmware update or by updating the KEK database. The former assumes that manufacturers would be interested in distributing a firmware update for a wide variety of products so a small percentage of their users could use Secure Boot with a non-Windows OS; the latter is an unproven mechanism that isn’t guaranteed to work on all devices. Both seem likely to leave at least some people to figure out a solution on their own.
So my old Lenovo x220 that started as Windows and since then I wiped and installed pop os with full disk encryption is going to have a problem?
Secure boot will fail validation. You can still boot it anyway by disabling secure boot. You just lose a layer of security. You can manually sign boot files yourself and add the relevant certificate to the motherboard firmware database. Assuming it lets you.
I see, I’m just a novice at Linux and this seems complicated. Is there a good tutorial somewhere? Otherwise I might just disable secure boot