Got a question you may be able to help me with. I have never changed my secure boot key on my motherboard after switching from windows. Do I need to worry about anything? If I don’t, what’s the pros and cons and what not.
I remember reading that there’s some sort of potential issues with keys from windows if you’re a Linux user a few months back.
not j4k3 but my understanding is that the default keys are expiring soon and need to be rotated, and the rotation is up to your Mobo OEM to push out (?). I am not entirely sure that is correct, but I think it is.
Pros and cons of your own key:
Pros: its your key, so youre responsible for your security
Cons: its your key, so youre responsible for your security
You can generate your own keys.
Here are two PDF links I copied just now from a post I made 2 years ago here. I don’t keep these white listed, so I did not check them for connecting. The first is the official UEFI overview. The second is a great guide from the US government detailing exactly how to set the keys. If that link doesn’t work, pull out the document number from the link and search for it. Gentoo and Arch have guides on this. Fedora has the most advanced pre Linux init system in my opinion.
If you have secure boot enabled, and you are using the shim from fedora or ubuntu, then yes you need to worry about it if you want to dual boot with w11.
I remember reading a post on mastodon where it was explained that no mother board validates the secure boot keys expiration dates otherwise it wouldn’t boot the first time the BIOS battery gets empty and the internal clock gets reset.
The post was written well and was citing some sources. But I didn’t try to verify these assertions.
even if it did, its not like any existing motherboard requires internet to boot, you can just change the MB clock to be prior to the expiration and theoretically it should boot regardless of restrictions.
The owner of the machine is the owner of the secure boot keys.
J4k3, hope youre doing alright dude.
Got a question you may be able to help me with. I have never changed my secure boot key on my motherboard after switching from windows. Do I need to worry about anything? If I don’t, what’s the pros and cons and what not.
I remember reading that there’s some sort of potential issues with keys from windows if you’re a Linux user a few months back.
not j4k3 but my understanding is that the default keys are expiring soon and need to be rotated, and the rotation is up to your Mobo OEM to push out (?). I am not entirely sure that is correct, but I think it is.
Pros and cons of your own key: Pros: its your key, so youre responsible for your security
Cons: its your key, so youre responsible for your security
That was my understanding as well,
I got a good chuckle out of the pros and cons list lol, ty for that.
I’ll have to look into self owned boot keys now.
Thanks for chiming in
You can generate your own keys. Here are two PDF links I copied just now from a post I made 2 years ago here. I don’t keep these white listed, so I did not check them for connecting. The first is the official UEFI overview. The second is a great guide from the US government detailing exactly how to set the keys. If that link doesn’t work, pull out the document number from the link and search for it. Gentoo and Arch have guides on this. Fedora has the most advanced pre Linux init system in my opinion.
https://uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2019.pdf
https://media.defense.gov/2020/Sep/15/2002497594/-1/-1/0/CTR-UEFI-Secure-Boot-Customization-UOO168873-20.PDF
If you have secure boot enabled, and you are using the shim from fedora or ubuntu, then yes you need to worry about it if you want to dual boot with w11.
I remember reading a post on mastodon where it was explained that no mother board validates the secure boot keys expiration dates otherwise it wouldn’t boot the first time the BIOS battery gets empty and the internal clock gets reset. The post was written well and was citing some sources. But I didn’t try to verify these assertions.
even if it did, its not like any existing motherboard requires internet to boot, you can just change the MB clock to be prior to the expiration and theoretically it should boot regardless of restrictions.
AND the ones who control the source code of the software you run.