Unfortunately, or fortunately, he came to the same conclusions I have done:
"...So, uh, what's the story here? Why is there any engineering effort going on at all?...Microsoft will shortly start signing things with a new certificate that chains to a new root....How meaningful a risk is this? We don't have an explicit statement from Microsoft as yet as to what's going to happen here...., but we expect that there'll be at least a period of time where Microsoft signs binaries with both the old and the new certificate, and in that case those objects should work just fine on both old and new computers.... The problem arises if Microsoft stops signing things with the old certificate, at which point new releases will stop booting on systems that don't trust the new key (which, again, shouldn't happen)...." In short, he doesn't really know - nor do I - what Microsoft is going to do - since they haven't said anything. And the reason they haven't said anything is if they do say anything it will discourage users and admins from doing firmware BIOS updates - and there's many more important reasons than Secure Boot to keep BIOSes updated. My guess, knowing Microsoft, is that they will ALWAYS sign Windows 11 boot images with both the new and the old key. Then, during installation, Windows 11 will probe and determine if the system BIOS has only the old key, or only the new key, or both old and new keys. If the system has only the old key, Microsoft will install a boot loader signed with the old key and mark the system as not able to accept patches for the bootloader from Windows Updates. He also stated: "... Outside some corner cases, the worst case is you might need to boot an old Linux to update your trusted keys to be able to install a new Linux, and no computer currently running Linux will break in any way whatsoever...." Having Linux users have to use an old boot stick to insert the new certificate into the TPM chip is acceptable for Linux users because Linux users are technical enough that they will either demand BIOS updates from their PC makers or they will just accept that every time they lose battery CMOS that they will have to go through this process to reinsert the new certificate into their PC. However it would NOT be acceptable by Windows users to do this with Windows - which is why I suspect that Microsoft will do as I suspect - and do as he suspects - and continue signing Windows 11 boot sticks with both the old and new certificate. I also would recommend from experience that all Linux users keep a Win10 or rufus-modified W11 boot stick around because you may encounter a machine that you want to run Linux on that needs a BIOS update, and many PC makers only release BIOS updates that run under Windows to do the actual update. Many times I've had to boot Windows on a system then do all firmware updates on it THEN boot linux on it when I wanted to load Linux or FreeBSD on that system. Ted -----Original Message----- From: PLUG <[email protected]> On Behalf Of Galen Seitz Sent: Wednesday, April 22, 2026 8:50 AM To: [email protected] Subject: Re: [PLUG] [PLUG-ANNOUNCE] Speaker for May General Meeting? Ted, you may want to read Matthew Garrett's blog postings about secure boot. That's assuming you haven't already done so. AFAIK, he's the most knowledgeable person regarding Linux and secure boot. This posting seems the most relevant, but I expect there are others that would be worth reading. <https://mjg59.dreamwidth.org/#entry-72892> Note that the location of Matthew's blog has moved over the years. He's currently here: <https://codon.org.uk/~mjg59/blog/> Prior to that: <https://mjg59.dreamwidth.org/> And earlier: <https://mjg59.livejournal.com/> galen -- Galen Seitz [email protected]
