Just been reading
Not sure if this effects linux users or not ?
Think normally we switch off secure boot to do the install, but cannot remember and if its still on or dual booting which I know some of our members do if it will effect them
I have an idea that all this is aimed to weed-out all the unsupported W11 installs, that do not use UEFI!!! If it does, then a lot of my devices will wind up in the attic!!!
Not quite sure on that as they are offering the bios updates as part of the program updates.
My thoughts are more towards the linux community and the possible effects for us without upgrades to the bios
I think older computers without secure boot will be unaffected.
Wonât affect me in any way whatsoever⌠I have it disabled in BIOS / UEFIâŚ
I donât use Windows (other than remotely - and thatâs via AVD and RDP).
If you want to check that you have the updated (2023) secure boot certificates installed on your computer, in PowerShell, execute the following:
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match âWindows UEFI CA 2023â)
An output of True indicates the 2023 keys are installed on your computer. They are the ones you need. IIUC, any other output indicates the new certificates have not been installed.
For me, executing the following search:
what should I do if I donât have the 2023 secure boot certificates installed
returns the following:
Immediate Actions to Take:
Run Windows Updates: Ensure your system is fully updated, as Microsoft is pushing these certificates through Windows Update.
Update BIOS/Firmware: Visit your device manufacturer's website (Dell, HP, Lenovo, etc.) to download and install the latest BIOS/UEFI firmware, which often contains the updated certificates.
Check/Reset Secure Boot Keys: Enter your BIOS/UEFI setup (usually F2, F12, or Del at startup) and check the Secure Boot settings. If you have updated your BIOS but still lack the keys, you may need to select "Reset to Factory Keys" or "Install Default Secure Boot Keys".
Verify with PowerShell: Open PowerShell as Administrator and run the following command to check if the new certificates are installed:
Confirm-SecureBootUEFI
If it returns True, you have the new certificates.
If it returns False, you need to update your firmware.
I hope this helps fellow dual-boot users,
Ernie
And for Linux?
Needed or not
If you dual-boot Windows with any GNU/Linux distribution, the secure boot certificates are stored in the TPM, a part of the UEFI system your computer uses at boot time, so if the 2023 certificates are installed you should be all set, unless youâre creating your own signing keys, in which case, theyâre still stored in the TPM, but theyâre unique to your computer, so they should not be affected. FWIW, Iâm writing this off the top of my head ⌠from memory, and the part about locally created keys may miss the mark for accuracy/correctness. If anyone who knows more about secure boot than I do seeâs anything wrong here, please comment, correcting me! And thank you if you do!
Ernie
my understanding- If you are using secure boot with an only linux setup it will continue to work fine. You will/could run into problem when you upgrade/install a new distro version that ships a shim signed exclusively with the 2023 key. Vendors are pushing firmware updates that include the new microsoft cert. in the firmware db (UEFI NVRAM) via fwupd / LVFS. (ex- usingfwupdmgr) -There are ways to manually add the new cert to the db (ex- using sbctl ) if the need arises.
If it a dual boot system with Win11- (& secure boot is enabled) Win11 will/should update it automatically taking care of it.
Thats the answer I was looking for
I suspect when the new versions of mint come out they will be geared up ready for a change.
my opinion- Secure boot can become very problematic especially with dual boot linux systems. Not worth the headache for most home users. Pros vs Cons - I donât enable secure boot.
Thank you @JoelA ⌠that covers my position. ⌠if I ever buy a new computer that has secure boot I will turn it off.
The question continues at
Hey, a secure boot is for securing the boot process.
Malware is a separate issue and should be separate software⌠this is like systemd all over again. Next thing it will have its tentacles into login managers, and before we know it it will become the whole OS.
Cage this thing now before it escapes and takes over the world.