Xiisadaddy@lemmygrad.ml
on 27 Aug 20:50
nextcollapse
There are very few times i will come out with something positive to say about a company, but i do have to say i have a Dell laptop from 2020, and to this day i get regular firmware updates via the gnome application storefront’s update utility from Dell. It is an enterprise machine that was originally sold with Ubuntu as an option which i believe is why. I don’t run Ubuntu but they just push the updates out to all linux distros that check for them i think. It’s really nice to have i just download it, reboot, and it installs the update in a few seconds. I even get to look at my pretty plymouth splash screen while it installs. So hopefully I’ll have the new key from that.
bodaciousFern@lemmy.dbzer0.com
on 28 Aug 00:08
nextcollapse
if you set up secureboot without doing anything more than instaling the OS… yeah probably it is true. Edit: e.g. GRUB2 generally relies on shim. sysemd-boot doesn’t
I haven’t checked the specific key that signs shim to confirm the expiration date, but there generally is a date, as we’re talking about certs and keys here.
Edit 2: Basically what this article is saying is that the machines will need a new platform key (mited in 2023) enrolled in the tpms, with often comes from the firmware (when tpms are wiped for initial enrollment of a new install/setup, they tend to enroll whatever platform keys from microsoft are baked in to the uefi firmware).
So basically, if you haven’t had a bios/uefi firmware update since 2022, there’s no way for you to have have the new key trusted by your tpm, and the whole chain of trust falls apart when the key you do have expires. So you’ll need to disable secureboot. If you use shim and/or the microsoft platform key in someway.
The_Decryptor@aussie.zone
on 28 Aug 03:39
collapse
threaded - newest
There are very few times i will come out with something positive to say about a company, but i do have to say i have a Dell laptop from 2020, and to this day i get regular firmware updates via the gnome application storefront’s update utility from Dell. It is an enterprise machine that was originally sold with Ubuntu as an option which i believe is why. I don’t run Ubuntu but they just push the updates out to all linux distros that check for them i think. It’s really nice to have i just download it, reboot, and it installs the update in a few seconds. I even get to look at my pretty plymouth splash screen while it installs. So hopefully I’ll have the new key from that.
Chat, is this real?
The answer as always is, it depends.
Not all implementations rely on shim.
if you set up secureboot without doing anything more than instaling the OS… yeah probably it is true. Edit: e.g. GRUB2 generally relies on shim. sysemd-boot doesn’t
I haven’t checked the specific key that signs shim to confirm the expiration date, but there generally is a date, as we’re talking about certs and keys here.
Edit 2: Basically what this article is saying is that the machines will need a new platform key (mited in 2023) enrolled in the tpms, with often comes from the firmware (when tpms are wiped for initial enrollment of a new install/setup, they tend to enroll whatever platform keys from microsoft are baked in to the uefi firmware).
So basically, if you haven’t had a bios/uefi firmware update since 2022, there’s no way for you to have have the new key trusted by your tpm, and the whole chain of trust falls apart when the key you do have expires. So you’ll need to disable secureboot. If you use shim and/or the microsoft platform key in someway.
It’s real, but probably not an issue in practise.
If it does actually turn out to pose a problem, then just disable secure boot on those systems, not like it’s really securing anything at that point.
So, if I’ve not had a UEFI update in <years> to update the Secureboot cert, wouldn’t this affect any OS? Ie Windows too?
.
Yes. Microsoft says that most Windows will get updated by them, but I’m sure a lot of Windows machines will break in 2026.