Posted on 06/25/2026 2:02:49 PM PDT by CatOwner
I've been reading about the expiration of the 2011 Secure Boot certificates today, mainly with regards to Windows OS systems. Many of those users are dealing with older hardware that will not be getting a BIOS firmware update from the PC/laptop manufactures to get those certificates updated to the latest (2023) versions.
The big appeal of getting users onto Linux was the ability to use older hardware that Microsoft deemed incapable of receiving the latest OS installs and updates. Sounds great, but now I am reading this issue carries over into Linux.
For so long, we've been told something like "Just install Linux Mint and keep it current with the latest updates." With this Secure Boot certificates issue, is that sufficient, especially for BIOS firmware that can't be updated?
Dear FRiends,
We need your continuing support to keep FR funded. Your donations are our sole source of funding. No sugar daddies, no advertisers, no paid memberships, no commercial sales, no gimmicks, no tax subsidies. No spam, no pop-ups, no ad trackers.
If you enjoy using FR and agree it's a worthwhile endeavor, please consider making a contribution today:
Click here: to donate by Credit Card
Or here: to donate by PayPal
Or by mail to: Free Republic, LLC - PO Box 9771 - Fresno, CA 93794
Thank you very much and God bless you,
Jim
My main concern is being able to use a computer with Linux installed to perform online activities (browsing, downloading, online accounts, etc.).
There are probably distros out there that don’t need secure boot.
My computer does not have secure boot and Installed Kubuntu 26.04 without issues. I was running Ubuntu 22.04 for a long time prior, and had no install issues.
From Google AI: “Linux Mint does not require Secure Boot to be enabled, but it officially supports it out of the box if you choose to leave it on.”
My own experience with Mint backs that statement up, YMMV.
https://grok.com/share/bGVnYWN5LWNvcHk_a437aa0a-a784-4fa2-b4a5-da9ef6b94811
Key Facts on What Happens
Existing installations continue booting: Firmware does not typically enforce certificate expiration dates at runtime for already-trusted signatures. Your current shim, GRUB, and kernel (signed when the cert was valid) should keep working after the expiration date. Nothing “bricks” at midnight.
The real issue is future updates and new installs: After expiration, Microsoft stops signing new shims (or other boot components) with the 2011 key. Distros are moving to dual-signed shims (both 2011 and 2023 keys) or 2023-only. On hardware whose firmware never gets the 2023 Microsoft certificates enrolled (via BIOS update or db update), you won’t be able to boot:
* Linux PING *
https://grok.com/share/bGVnYWN5LWNvcHk_a437aa0a-a784-4fa2-b4a5-da9ef6b94811
Practical workaround: Disable Secure Boot in BIOS/UEFI. This is the simplest and most reliable long-term option for unsupported older machines. Linux works fine without it (it was never mandatory), though you lose the boot-chain protection it provides.
At start up, get into the BIOS/UEFI configuration screen and turn OFF Secure Boot; then you should easily be able to install Linux. Even a little computer I bought last year (May 2025) that had Win-11 pre-installed only caused a bit of trouble doing this; I had to figure out how to convince Win-11 to reboot into BIOS/UEFI setup mode so I could turn off Secure Boot. (Most computers with Windows pre-installed now go directly into Windows, bypassing BIOS/UEFI setup.)
The problem is that recent versions of Windows almost certainly demand Secure Boot be ON, so “dual booting” of Windows and Linux may be difficult or impossible. But these days you might be able to run Linux under Windows while you decide what to do long term.
Since I don’t dual boot, but rather have Linux running 24/7 (and even a separate Windows machine running 24/7), that doesn’t bother me. See below:
root@server1:~# uptime
17:28:52 up 474 days, 2:33, 3 users, load average: 0.00, 0.00, 0.00
root@server2:~# uptime
17:34:53 up 474 days, 3:10, 3 users, load average: 0.00, 0.00, 0.00
root@workstation1:/home/yt# uptime
17:36:07 up 45 days, 19:05, 3 users, load average: 0.81, 0.56, 0.56
I'm not trying to sound harsh, but this whole issue evolves around the software and hardware companies having control over our systems, and not the other way around. I simply refuse to give them that ability, to the best of my ability.
Welp, there goes every desktop PC and laptop I have. My most recent computer, purchased in December 2019, won't be getting a BIOS update from the manufacturer. Oof.
For a home user looking to move to Linux completely and wanting to use it for online account access, what kind of risks would there be?
That's been what I have been doing, using an older PC for Linux as a backup and as a 2nd PC for my wife to use.
My main desire is a secure environment for online account access. I am not dual booting, and I have separate PCs for Windows 11 and Linux. I can probably do about 90% of what I need on Linux. The rest can be done with the Windows PC offline.
In my case, none of my PCs or laptops can have their firmware updated to the 2023 certificates. Whether by limitations in the BIOS or the manufacturer’s refusal to provide a BIOS update for “older” hardware. I am using a 6.5 year-old desktop PC that met all of the requirements for Windows 11 by Microsoft, but this one can’t be fixed.
What if your drives are encrypted by secure boot though? How will you access them?
Secure boot does not have anything to do with encrypted drives. If you are talking about Windows, Bitlocker is what is used to encrypt the drive and the key is stored in the TPM module so that the drive is decrypted on startup without the user having to enter the key. LUKS is used for Linux and requires the key on startup to decrypt. Secure boot is just a way to verify that the bootloader has not been tampered with by verifying its digital signature. It can be turned off in the BIOS and Linux will happily boot without it. Windows will boot but Microsoft ominously warns it will “permanently degrades system security”. External drives encrypted by something like Veracrypt will always require the key to access them.
Dropped in to share with peers so that maybe they can help others stay in the Linux game:
>Secure Boot Custom Keys
Enabling Secure Boot with Your Self-Certified Keys (Linux): A Step-by-Step Guide
For a Linux user pursuing a secure system, it is imperative to enable Secure Boot. Nonetheless, merely turning it on does not guarantee a smooth boot. Signing a key on the Linux device is necessary to attain this. Failing to complete this important step will cease access to the Linux system. In this guide, I will lead you through the key signing process on your Linux machine. This essential step guarantees a smooth start-up for your Linux system and takes your Linux device to the next level of security.”
https://blog.ummit.dev/posts/linux/system/uefi/secure-boot/how-to-enable-secure-boot-with-self-cert/
You’d be wrong. Yes Bitlocker does encrypt drives, but do you use VMWARE? If you don’t have secure boot you won’t be able to access your drives if they were encrypted. It’s one part of the overall system. Bitlocker also relies on secure boot.
Create a Virtual Machine
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.