Posted by weaksauce 1 day ago
There really is no need for secure boot in Linux. The only reason to have it is if you dual boot because M/S says so. If using Linux by itself, just disable secure boot and have done with it.
Secure boot prevents tampering of your kernel and/or bootloader, nothing about Linux prevents this from being possible.
You might argue that you don't care about this, but some people such as myself do!
By trusting another chain of trust and firmware binary blobs involved in booting your PC.
Secure boot exists only as one of the puzzle pieces for remote attestation for MS and trusted OEMs, nothing to do with your security.
So what? I'm still preventing a random person from tampering with my bootloader?
99% of secure boot discussions are drowned out by people who don't have a clue what they're talking about, yet are spittingly, furiously mad.
They've also had over a year to prepare for this so if Linux distros are only telling you now, that's on them.
The issue seems to be that Microsoft will refuse to sign anything new with the expiring certificate (which is correct behaviour), so any UEFI firmware that hasn't got the new certificate will refuse newly signed bootloaders.
I don't see anything wrong with this scenario, it's on distros to properly make sure they're distributing secure boot certificate updates.
Edit: Apparently RHEL will even refuse to install a 2023 signed shim if the firmware lacks the certificate for it.
Why is that? RHEL own blog post described that RHEL is distributing dual signed shim by both 2011 and 2023 certificates, so that it works either way, only 2011 present or only 2023.
Well yea - as someone who has 0 understanding of why we need it, and only ever get greatly frustrated by it, I am pretty mad that people feel entitled to call my distro managers "that's on them"