Linux users who have Secure Boot enabled on their systems knowingly or unknowingly rely on a key from Microsoft that is set to expire in September. After that point, Microsoft will no longer use that key to sign the shim first-stage UEFI bootloader that is used by Linux distributions to boot the kernel with Secure Boot. But the replacement key, which has been available since 2023, may not be installed on many systems; worse yet, it may require the hardware vendor to issue an update for the system firmware, which may or may not happen. It seems that the vast majority of systems will not be lost in the shuffle, but it may require extra work from distributors and users.
OK, now you are talking about something a bit different - registering own keys in the UEFI system, which is significantly more involved than updating the BIOS, and also requires firmware support, and the firmware also needs to match the motherboard. And the whole issue with ACPI support for Linux shows clearly that having reams of specufications is not enough, the implementation of the BIOS needs to match that specification which whether thsz’s the case you will only learn after you bought the hardware.
Here is a description of that process:
https://docs.bell-sw.com/alpaquita-linux/latest/how-to/use-own-keys-in-secureboot/
Moreover, for any change of the boot chain, bootloader, posdibly also kernel, this needs to be repeated.
Do you think that’s accessible to normal users? Considering most have probably not even ever done a firmware update?
From the first post in this chain
I didn’t start talking about it, this was many comments above