Secure Boot certificate deadline approaches for Windows and Linux PCs
Three Microsoft-signed Secure Boot certificates expire June 24, requiring updated keys to keep protections current against UEFI boot threats.
By Maya Lindqvist · Senior Technology Correspondent
3 min read
Windows and Linux users face a June 24 deadline tied to Secure Boot, the system that checks whether startup code can be trusted before an operating system loads. Ars Technica reports that three Microsoft-signed certificates used in that process are expiring, prompting a move from older 2011-era signatures to replacements dated 2023.
Secure Boot is meant to block bootkits, a class of malware that tampers with the earliest stages of a computer’s startup sequence. Because that code can run before the operating system and many security tools, Ars Technica reports that bootkits can be hard to find, can reinstall malware after cleanup and can survive operating system reinstallations.
What is changing
The expiring certificates sit inside the chain of trust used by Secure Boot. During startup, Secure Boot checks digital signatures on firmware and software and allows the boot process to continue only when the code is recognized as trusted, such as code from a motherboard maker.
Microsoft is updating Windows 10 and Windows 11 systems as part of the certificate replacement, according to Ars Technica. Linux distributors are also preparing updated “shims,” small first-stage UEFI bootloaders that help connect Microsoft-trusted Secure Boot keys with Linux bootloaders.
Systems that do not receive the new Secure Boot-related keys are expected to keep running. Ars Technica reports, however, that they will not have the updated protection intended to reduce exposure to newer UEFI attacks.
Why the refresh is happening
The certificate change follows the 2023 disclosure of LogoFail, a set of serious flaws in UEFI firmware used to boot many Windows and Linux systems. Ars Technica reports that the vulnerabilities involved image-parsing code used to display hardware makers’ logos during startup, creating a way for attackers to bypass Secure Boot and plant malicious firmware.
UEFI boot attacks are not theoretical. Ars Technica cited LoJax, discovered in 2018, as the first known real-world UEFI attack. The malware was tied to a Kremlin-backed hacking group tracked as Sednit, Fancy Bear and APT 28, and used tools capable of reading and overwriting parts of UEFI flash memory.
Another case, named MosaicRegressor by Kaspersky researchers, was found in 2020. Ars Technica reports that infected devices checked at reboot whether a malicious file was present in the Windows startup folder and installed it if missing. Other UEFI bootkits later identified include ESpecter, FinSpy and MoonBounce.
What users can do
On Windows, users can check the update state by opening Windows Security settings, then Device Security and Secure Boot, according to Ars Technica. A green checkmark indicates the Secure Boot key update has been applied.
Many Windows computers should receive the change through normal monthly patches, but older devices may need manual attention, Ars Technica reports. Linux users should watch their distributions for updated shim releases.
Ars Technica also advises users, where possible, to delay installing new motherboard firmware updates until after the Secure Boot certificates have been replaced. The key update is intended to close the LogoFail-related gap and help guard against future UEFI threats.
This story draws on original reporting from Ars Technica.