17 comments

[ 3.2 ms ] story [ 32.2 ms ] thread
They left out the steps to update it. I made a rough attempt at a document for this. [1] Please let me know if I missed a validation step. I have done this on six machines but they were all Linux. Not tested on BSD.

Archive [2] in the event I was too aggressive in blocking bots.

[Edit] I should also include this [3] thread for completeness sake. Some people people were playing with a shim work around but it looks like a lot of unnecessary complexity and fragility to me.

[1] - https://nochan.net/b/Internet-Crap/20260621-Update-Secure-Bo...

[2] - https://archive.is/ml3jv

[3] - https://www.reddit.com/r/archlinux/comments/1pvw6td/grub_shi...

> The KEK updates are going out at ~98% success, and db update is ~99% success

glad to see the opt in fwupd analytics being so useful for something like this

Not envious of the running around contacting vendors they must of been doing on such short order.

I saw 2-3 flavors of this news. None of them include a basic “how do I check if I need to do anything” guide that a linux newbie can do.
[flagged]
I'm surprised more people aren't freaking out about this. It seems likely a whole lot of Linux machines are going to fail to reboot in the next few months. The problem affects VMs too. I was grateful Proxmox put a little warning in its hypervisor GUI with a button to press to fix the BIOS of its VMs.

Secure Boot has been deeply broken for years, not providing meaningful security on most consumer machines.

It needs to be said, this is what you get by "trusting" Microsoft.

There really is no need for secure boot in Linux. The only reason to have it is if you dual boot because M/S says so. If using Linux by itself, just disable secure boot and have done with it.

Last time I installed Arch, I put Secure Boot in setup mode and enrolled by own keys. The idea of using someone else's keys seems absurd.
Do note that being able to completely remove MS keys is highly dependent on your mainboard. Not in the sense of if they allow you to do it (I think most if not all DIY boards allow you to), but if you will be able to boot afterwards.

I (soft?)bricked a mainboard and it doesn't want to boot anymore after I removed the MS keys. The worst part is, that it has a dualBIOS and no active switch to change between them, only their own "I'll change when I see issues"... well you can guess how well that worked out (and I am not able to get it to clear CMOS for some reason).

The word from Red Hat is existing systems will continue to boot — presumably because they are time-stamped and counter-signed or because the dates are ignored entirely.

99% of secure boot discussions are drowned out by people who don't have a clue what they're talking about, yet are spittingly, furiously mad.

They've also had over a year to prepare for this so if Linux distros are only telling you now, that's on them.

> triggering a "de-fragmentation" of the available efivar space so that there's enough contiguous space to deploy the update.

I didn't even realize this could be a problem despite the next paragraph implying it's very well known.

Well, it seems like keeping secure boot disabled was gonna help me in the future haha

I know it is not recommended but the options to have my own keys seemed a bit of a hack than a solution.

How do desktop Linux distros avoid attackers from rolling back the operating system to a vulnerable, but signed version?
Some laptops allow Custom Mode in UEFI setup menu. Then you can clear these keys and load your own. On Linux etc. you can that way enable secure boot without MS keys.

Not all devices support it, so choose wisely.