Secure Boot and CA Rollover - a heads-up for distributions

Summary

Secure Boot and CA Rollover - a heads-up for distributions Background I'm a member of the EFI team in Debian, and I've done much of the work for Debian to support UEFI Secure Boot (SB) in recent years. We have included that support for a number of releases now, starting back with Debian 10 (aka Buster). I'm also a long-time accredited member of the shim-review team, the group that checks and approves shim binaries before Microsoft will sign them. See the Debian wiki for lots of background details about Secure Boot and how we do things in Debian. Secure Boot depends on signatures, which are verified during boot using a chain of X.509 certificates. The root certificate(s) in the chain are embedded in computer firmware, then later software such as shim can add more certificates to extend the trust. Easy, right? The problem - certificates expire... Microsoft administer the most widespread Secure Boot root certificates, and have been doing so since the very beginning of UEFI Secure Boot as a concept. The Microsoft UEFI CA certificates are included in just about every x86 and x86-64 computer shipped, and also in quite a lot of arm64 machines too. (The fact that Microsoft is therefore a gatekeeper for Linux running under Secure Boot is very unpopular in some quarters, but this is just a fact of life in the world we live in.) The current certificates have been around since 2011: 1. Windows Production PCA 2011 (used for signing Windows components) Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011 Validity Not Before: Oct 19 18:41:42 2011 GMT Not After : Oct 19 18:51:42 2026 GMT This expires in October this year, ~5 months from now. 2. Third Party Marketplace Root (used for signing option ROMs and other software) Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011 Validity Not Before: Jun 27 21:22:45 2011 GMT Not After : Jun 27 21:32:45 2026 GMT For Linux folks, this s...