https://grok.com/share/bGVnYWN5LWNvcHk_a437aa0a-a784-4fa2-b4a5-da9ef6b94811
Key Facts on What Happens
Existing installations continue booting: Firmware does not typically enforce certificate expiration dates at runtime for already-trusted signatures. Your current shim, GRUB, and kernel (signed when the cert was valid) should keep working after the expiration date. Nothing “bricks” at midnight.
The real issue is future updates and new installs: After expiration, Microsoft stops signing new shims (or other boot components) with the 2011 key. Distros are moving to dual-signed shims (both 2011 and 2023 keys) or 2023-only. On hardware whose firmware never gets the 2023 Microsoft certificates enrolled (via BIOS update or db update), you won’t be able to boot:
Welp, there goes every desktop PC and laptop I have. My most recent computer, purchased in December 2019, won't be getting a BIOS update from the manufacturer. Oof.