Microsoft is planning to roll over its Secure Boot root certificates that have been in use since 2011, which will require distributions to update their bootloaders and shims. This change affects most x86, x86-64, and many arm64 systems that rely on Microsoft's UEFI CA certificates for Secure Boot. The author, a Debian EFI team member and shim-review team member, provides a heads-up to distributions about this upcoming change and its implications.
Background
Secure Boot is a security standard that helps ensure a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM). It uses cryptographic signatures to verify the authenticity of boot software, with Microsoft's certificates being the most widely used root of trust.
- Source
- Lobsters
- Published
- May 22, 2026 at 05:48 PM
- Score
- 7.0 / 10