Hi!I heard from Tom’s Hardware that Microsoft’s UEFI Secure Boot key will expire on September 11th. I am very worried that after September 11th, computers with Secure Boot enabled, especially those that have updated the Secure Boot key, may not be able to boot Fedora. So has Fedora updated its Secure Boot key to the latest version?https://www.tomshardware.com/tech-industry/cyber-security/microsoft-signing-key-required-for-secure-boot-uefi-bootloader-expires-in-september-which-could-be-problematic-for-linux-users
The Microsoft KEK key expires in 2026
Owner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
SHA1 Fingerprint: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:0a:d1:88:00:00:00:00:00:03
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root
Validity
Not Before: Jun 24 20:41:29 2011 GMT
Not After : Jun 24 20:51:29 2026 GMT
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation KEK CA 2011
and the new one should already be distributed through fwupd or through the manufacurer
Owner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
SHA1 Fingerprint: 45:9a:b6:fb:5e:28:4d:27:2d:5e:3e:6a:bc:8e:d6:63:82:9d:63:2b
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
33:00:00:00:13:14:16:b8:61:6d:82:82:4b:00:00:00:00:00:13
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Microsoft Corporation, CN=Microsoft RSA Devices Root CA 2021
Validity
Not Before: Mar 2 20:21:35 2023 GMT
Not After : Mar 2 20:31:35 2038 GMT
Subject: C=US, O=Microsoft Corporation, CN=Microsoft Corporation KEK 2K CA 2023
The updated db should also have been received through fwupd by now.
What the article says is that when getting Microsoft to sign the shim after september, the shim will be signed with the new key. That is all.
1 Like
This issue is being actively discussed on the Fedora devel mailing list.
One issue is that hardware vendors need to add the new key to the uefi bios.
On my personal hardware only some of them have the new key.
I am waiting for an update on my desktop that I run dual boot windows 11 on.
I’m wondering whether Microsoft is introducing expiration dates for all Secure Boot keys. If so, what happens to machines from manufacturers that never release firmware updates—will those systems eventually reject all bootloaders and operating systems?
The expiration dates have been part of the certificates from the start of EFI BIOS introduction. This is not something that changed recently.
If an update is not made by the vendors of the hardware then it is unclear what will happen as this depends on what the BIOS firmware implements.
Booting with the old keys may continue to work for example.
For linux systems there is always the option to turn off secure boot.
I see, this is part of the design of secure boot… However fusing something with expire time sounds strange to me. But it is a PKI system, that an expire time seems required?
Yes, good news is that we Linux users can just switch off SB and continue, but Windows users might end up with a failed Bitlocker PCR measurement. 
Yes.
This would need to a be a user on Windows 11 that means on recent hardware which is more likely to get the firmware update.
It’s the people on old hardware that only supports Windows 10 that are more likely to have an issue. But for them the bigger issue is that Windows 10 support will have ended.
That uses the TPM that is not the same as Secure Boot.
I do not know is a Windows 10 with Bitlocker but secure boot turned off would work.
Not an issue if you run Fedora 
1 Like
I saved this aside because I was busy, now it’s been 11 days.
To make it short: must I do something because reasons or does the problem just deal with itself (AKA not have to move my ass)?
Tl;dr - no need to do anything.
If you want to know why read this in depth explaination: Captcha Check
1 Like
You can check the current installed KEK certs bu running mokutil --list-enrolled --kek |grep Microsoft which should show
31590bfd89 Microsoft Corporation KEK CA 2011
459ab6fb5e Microsoft Corporation KEK 2K CA 2023
and to check the db mokutil --list-enrolled --db |grep Microsoft which should show
46def63b5c Microsoft Corporation UEFI CA 2011
580a6f4cc4 Microsoft Windows Production PCA 2011
b5eeb4a670 Microsoft UEFI CA 2023
3fb39e2b8b Microsoft Option ROM UEFI CA 2023
The updates should have come via fwupd, but if you multiboot Windows, the updates could also come via Windows updates. Updating via WIndows updates should avoid problems with Bitlocker.
2 Likes
I still have Windows 10 and will keep it online up to november (never installing 11 on any machine I seriously use).
Hope that’ll be enough, at least for this time.
Thanks people.
Hi, @isaac0clarke
I have an older laptop with a dual boot of Windows 10 Pro and Fedora 42 WS. Microsoft offered to extend the updates until October 2026 for free, which I obviously accepted, even though I rarely use it.
It’s unclear to me, if that is the output that shows that everything is OK (because of the “2023”) or if that is the output that shows it’s outdated?
You get a set if keys from 2011 and a new set from 2023. If you run mokutil --list-enrolled --verbose-listing --kek you will see all the KEK keys with their expire dates.
1 Like
Same here. 2018 Dell has no update, newer Dell does have it.
Maybe Home doesn’t have it.
I believe Windows 10 Home has the exact same option
1 Like
Regardless, W10 is fated to die.
I’ll take advantage of the possible gifted extra time to keep testing and comparing different games and softwares, but this is the same reason why I installed Fedora almost 2 years ago:
To do all of this, the big leap, the switch, at the last time, all of the sudden, is an objectively stupid move.
Honestly, beyond the FACT that phones, tablets, and SmartTVs ( 
) do EVERYTHING the normal, average person wants and needs (so the need to buy a €300 desktop and install Linux on it doesn’t exist anymore, it’s no longer 2010) the normal gamer needs nothing more than Bazzite if they want to just game & google.
I chose Fedora because I also want to use other software, I want to do more compared to the normal user, but ALL Linux Distros, ALL of them, are way more complex than Windows to do even the minimum complex edits/modifications to do more things.
I see the following
$ mokutil --list-enrolled --kek |grep Microsoft
31590bfd89 Microsoft Corporation KEK CA 2011
$ mokutil --list-enrolled --db |grep Microsoft
580a6f4cc4 Microsoft Windows Production PCA 2011
46def63b5c Microsoft Corporation UEFI CA 2011
b5eeb4a670 Microsoft UEFI CA 2023
3fb39e2b8b Microsoft Option ROM UEFI CA 2023
Seem to be missing the KEK 2K cert.
I Have KEK cert
Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root
Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation KEK CA 2011
Issuer: C=US, O=Microsoft Corporation, CN=Microsoft RSA Devices Root CA 2021
Subject: C=US, O=Microsoft Corporation, CN=Microsoft Corporation KEK 2K CA 2023
URI:http://www.microsoft.com/pkiops/crl/Microsoft%20RSA%20Devices%20Root%20CA%202021.crl
CA Issuers - URI:http://www.microsoft.com/pkiops/certs/Microsoft%20RSA%20Devices%20Root%20CA%202021.crt