Linux users who have Secure Boot enabled on their systems knowingly or unknowingly rely on a ke [...]

Linux users who have Secure Boot enabled on their systems knowingly or unknowingly rely on a key from Microsoft that is set to expire in September. After that point, Microsoft will no longer use that key to sign the shim first-stage UEFI bootloader that is used by Linux distributions to boot the kernel with Secure Boot. But the replacement key, which has been available since 2023, may not be installed on many systems; worse yet, it may require the hardware vendor to issue an update for the system firmware, which may or may not happen. It seems that the vast majority of systems will not be lost in the shuffle, but it may require extra work from distributors and users.

  • VeganCheesecake@lemmy.blahaj.zone
    0·
    7 days ago

    This implies a world in which motherboard vendors actually regularly publish updates for their boards, or publish information about a board being officially end-of-life, which, for many consumer boards, just isn’t the case.

    Some vendors still have a red flag on their support page discouraging uefi updates unless you’re actively experiencing problems.

    • 9tr6gyp3@lemmy.worldEnglish
      0·
      6 days ago

      Some vendors still have a red flag on their support page discouraging uefi updates unless you’re actively experiencing problems.

      I dont know which vendor you are referring to, but that is a horrible practice. There should be active support and release notes stating that “This release is a security fix” at a bare minimum. If your motherboard manufacturer does not offer that, then I could never recommend them to someone. They need to be held to a higher standard.

      At least from my experience, ASUS, Dell, and Apple will publish that information.

      • SkavarSharraddas@gehirneimer.de
        0·
        6 days ago

        From https://www.gigabyte.com/Motherboard/GA-AX370M-Gaming-3-rev-1x/support#support-dl-bios (manual contains the same, plus a recommendation to keep the default settings):

        " Warning: Because BIOS flashing is potentially risky, if you do not encounter problems using the current version of BIOS, it is recommended that you not flash the BIOS. To flash the BIOS, do it with caution. Inadequate BIOS flashing may result in system malfunction."

        • 9tr6gyp3@lemmy.worldEnglish
          0·
          6 days ago

          Its funny because the release notes for their December '21 BIOS update says:

          Major vulnerabilities updates, customers are strongly encouraged to update to this release at the earliest.

          And many of their release notes say that they fix security issues. I would say that supercedes the footnote at the bottom that says to update your BIOS only if you’re having issues.

          Plus, doesn’t Gigabyte have A/B BIOS updates? So if you have a failed flash, you can switch to the previous BIOS that was working?