|
|
|
|
|
|
by ChocolateGod
3 hours ago
|
|
|
IIRC UEFI firmwares do not check the expiry date, they don't care that the certificate has expired at all. There's no risk of any existing .efi binaries suddenly not loading. The issue seems to be that Microsoft will refuse to sign anything new with the expiring certificate (which is correct behaviour), so any UEFI firmware that hasn't got the new certificate will refuse newly signed bootloaders. I don't see anything wrong with this scenario, it's on distros to properly make sure they're distributing secure boot certificate updates. Edit: Apparently RHEL will even refuse to install a 2023 signed shim if the firmware lacks the certificate for it. |
|
|
Why is that? RHEL own blog post described that RHEL is distributing dual signed shim by both 2011 and 2023 certificates, so that it works either way, only 2011 present or only 2023.