| ▲ | amlib a day ago | |
> he expiry date is enforced for signing new binaries Does this means that updating my system kernel would fail or even break boot? | ||
| ▲ | mjg59 10 hours ago | parent | next [-] | |
Shim, the first stage bootloader on Linux, is designed to be updated infrequently. Distributions embed their own signing certificate in it and have that binary signed by Microsoft. The actual bootloader (typically either grub or systemd-boot) is then signed with the distribution certificate, as is the kernel. Distributions get to set their own policy around how long that certificate lasts for, it's entirely unrelated to the Microsoft certificate expiry. | ||
| ▲ | epakai 16 hours ago | parent | prev [-] | |
No, distros uses a shim binary that is less likely to need updates. If that shim needs an update (only signed with the new key) then we get into a situation where old machines will fail to boot it. | ||