Expiring Microsoft Secure Boot UEFI signing key in September may cause complications for Linux system users
In the ever-evolving world of technology, a significant development is looming for Linux users who rely on Secure Boot, a UEFI firmware feature designed to ensure the loading of only trusted software during computer startup. Most Windows PCs have firmware that trusts Microsoft’s Secure Boot signing keys by default, and many Linux distributions have relied on the Microsoft-signed "shim" bootloader to work with Secure Boot.
However, the critical issue at hand is that the Microsoft Secure Boot UEFI bootloader signing key, which has been used to sign the Linux shim bootloaders, is set to expire on September 11, 2025. This impending expiration could lead to potential boot failures for Linux when the old key expires.
Systems that rely on the expired key will fail to boot Linux distributions that use Secure Boot with the old Microsoft signing key unless the firmware is updated to trust a new key. There is pressure on Linux distribution maintainers, hardware OEMs, and users to manage this transition to updated Secure Boot keys. Without proper firmware updates or key renewal, Linux systems may become unbootable with Secure Boot enabled.
Microsoft has issued a new Secure Boot key in 2023, but many systems may not have received firmware updates incorporating that new key, leading to possible boot failures for Linux when the old key expires. Linux distributions and open-source developers will need to ensure their signed components trust the updated Microsoft certificates to maintain Secure Boot compatibility.
The installation and re-enabling of Linux could be affected in several ways. Installing new Linux distributions on Secure Boot–enabled systems may fail if the UEFI firmware does not recognize the signing key used. Re-enabling Linux on existing Secure Boot systems after the key expiration may require disabling Secure Boot (less secure), obtaining firmware updates that add the new key, or manual intervention such as enrolling new keys via UEFI firmware settings.
This complex ecosystem issue involves collaboration between Microsoft, OEMs, Linux maintainers, and users to avoid widespread problems starting September 2025, with long-term Secure Boot certificate updates continuing to be relevant through at least mid-2026.
The question of whether or not the installed OS allows Secure Boot to be re-enabled after it's been installed alongside or instead of Windows remains unclear. Some solutions, such as the latter approach that assumes manufacturers' interest in distributing updates for a wide variety of products for a small percentage of users to use Secure Boot with a non-Windows OS, may not work on all devices.
This issue, coupled with the ongoing challenges and vulnerabilities in Secure Boot, such as the BootHole, BlackLotus, and issues limited to specific motherboard manufacturers, adds to the frustrations that encourage people to either stick with Windows or disable Secure Boot entirely.
Some Linux distributions and FreeBSD have opted to use a "shim" to build their Secure Boot support on top of Microsoft's infrastructure. However, the rise of other platforms ahead of Windows 10's demise might change this trend, offering Linux users alternative options in the near future.
[1] https://lwn.net/Articles/881980/ [2] https://lwn.net/Articles/883834/ [3] https://www.theregister.com/2023/03/01/microsoft_secure_boot_key_expiration/ [4] https://www.theregister.com/2023/03/02/linux_secure_boot_key_expiration_impact/
Data-and-cloud-computing technologies, such as the Linux distributions and open-source developers, will need to ensure their signed components trust the updated Microsoft certificates to maintain Secure Boot compatibility, as the Microsoft Secure Boot UEFI bootloader signing key is set to expire in September 2025. This impending expiration could potentially cause boot failures for Linux when the old key expires.
