Linux users who have Secure Boot enabled on their systems knowingly or unknowingly rely on a key from Microsoft that is set to expire in September. After that point, Microsoft will no longer use that key to sign the shim first-stage UEFI bootloader that is used by Linux distributions to boot the kernel with Secure Boot. But the replacement key, which has been available since 2023, may not be installed on many systems; worse yet, it may require the hardware vendor to issue an update for the system firmware, which may or may not happen. It seems that the vast majority of systems will not be lost in the shuffle, but it may require extra work from distributors and users.
I think this already bites people, it has started, it’s not in September but now?: https://x.com/rogerioperdiz/status/1946873449537798582
I just tried to distro-hop and found my BIOS had been locked with a password. Assuming I didn’t set a password that I subsequently forgot (and that isn’t one of the many I have memorized), I figured this might have something to do with the age of the laptop (I have a HP 4540s). If certificate expiration is already affecting people then this might be it.
EDIT: I just forgot I set a password, and it took me 2 days to realize that I was stupid enough to have set the password that I used for everything when I was 12 years old.
How did you bypass the password?
I didn’t. And apparently you can’t without trying to short-circuit the motherboard. I just assumed, and assumed wrong.
Not OP, but BIOSes often give you a specific error code after a few wrong password attempts. You can put the code in here to recover the password: https://bios-pw.org/
The details are complex; it has humorously been called “security by security”.
Hobby Linux users could, as far as I understand , simply disable UEFI secure boot (after weigthing carefully what secure boot provides to them, and what it does not provide). Otherwise, they’ll need a firmware upgrade before any upgrade to a new OS / bootloader chain.
Small companies which use old laptops with Windows might be bitten hard by this because they can become locked out of their hardware with no way to update it, or even make a backup!
And by the way, Intel motherboards which are running your Linux system may contain a copy of Minix - yes, the Minix from the historic Tanenbaum vs. Torvalds debate - which runs below the OS in the system management mode engine and is controlled by the vendor, which can e.g. update firmware via the network. SMM is normally not visible by the user but it can cause problems e.g. for real-time applications because it has higher privileges than the kernel and can interrupt all of the kernel at any time.
Funny how Microsoft does this just before the October EOL deadline for Windows 10, when a whole bunch of hardware is being forcibly obsoleted…
