The current certificate created by Microsoft, enrolled in devices and used for signing shim for Secure Boot is expiring at the end of June. Existing devices will keep working past the expiry date but no new signatures will be done by Microsoft past this date.
A new certificate (2023) has been created and new versions of shim are now signed with both keys. As PE signatures can be detached/attached "freely", the latest versions of shim in Fedora/CentOS Stream/RHEL have or will have both signatures soon.
Thus new devices that will only trust the new certificate will also work with the same build of shim.
The issue here is that at one point, we will have to update shim (security issue, new Fedora/CS/RHEL certificate, etc.) and after June 2026, this new build will only be signed with the new key.
Whether or not the trust database can be updated on existing systems depends on the platform or hardware manufacturer. In most cases, fwupd will be responsible of doing the firmware / trust database update.
But before that update happens, bootupd should refuse to update systems to a newer shim signed only with the 2023 Microsoft key if the device does not trust it yet.
A tool has been created to figure that out: sbchooser: rhboot/efivar#294
References:
The current certificate created by Microsoft, enrolled in devices and used for signing shim for Secure Boot is expiring at the end of June. Existing devices will keep working past the expiry date but no new signatures will be done by Microsoft past this date.
A new certificate (2023) has been created and new versions of shim are now signed with both keys. As PE signatures can be detached/attached "freely", the latest versions of shim in Fedora/CentOS Stream/RHEL have or will have both signatures soon.
Thus new devices that will only trust the new certificate will also work with the same build of shim.
The issue here is that at one point, we will have to update shim (security issue, new Fedora/CS/RHEL certificate, etc.) and after June 2026, this new build will only be signed with the new key.
Whether or not the trust database can be updated on existing systems depends on the platform or hardware manufacturer. In most cases, fwupd will be responsible of doing the firmware / trust database update.
But before that update happens, bootupd should refuse to update systems to a newer shim signed only with the 2023 Microsoft key if the device does not trust it yet.
A tool has been created to figure that out: sbchooser: rhboot/efivar#294
References: