Though I've seen statements that, when Secure Boot certificates expire (2011 ones in June 2026), machines will continue to boot the current operating systems.
Without means to install new certificates, can an OS be updated or a new OS installed, without need to turn off Secure Boot?
- On a dual boot Windows 10/Ubuntu PC, can a newer version of Ubuntu be installed, and would that affect booting Windows 10?
- On Ubuntu-only machines, can updated to a new version?
- Are there ways to have a new OS, installed with Secure Boot off, to be accepted as a Secure Boot OS?
It seems that the issue with these certificates (CAs) isn't so much that they expire, but more that Microsoft will stop using them for signing and will switch to newer ones – which older computers don't recognize.
On a Windows 10/Ubuntu PC, can a newer version of Ubuntu be installed
The entire mechanism of Secure Boot is that when your firmware is in Secure Boot mode, it will only accept a signature made by a certificate it recognizes.
So, if the newer version of Ubuntu is signed (indirectly) only by Microsoft's new 2023 CA, but your firmware doesn't have that CA as "trusted" in db, then it will not accept that version of Ubuntu. That's literally the Secure Boot feature in a nutshell.
If the newer version of Ubuntu is signed by both the old and new CAs, then the firmware will accept it as long as it recognizes one of the signatures.
If the newer version of Ubuntu is signed by only the old 2011 CA, then it will still be recognized. The way Secure Boot works in Ubuntu is that only a single, very generic component – Shim – is actually signed by Microsoft, and Ubuntu are free to re-use the same "old signature" version of Shim for later Ubuntu releases.
(At least until they're forced to upgrade Shim due to bug fixes on something, and then the new Microsoft signing practices will apply.)
I don't know which option Ubuntu will choose; and I don't know whether Microsoft will actually stop signing Windows and/or Shim with the old keys or whether they'll dual-sign.
and would that affect booting Windows 10?
Not in any unusual way. Installing Ubuntu won't automatically upgrade Secure Boot certificates (as far as I know). At most it'll do the usual bootloader rearrangement, adding itself at the top of the UEFI "boot order" list.
Ubuntu will probably automatically include Windows in its own boot menu, although if you are using BitLocker, then you'll want to bypass that and directly choose Windows from the UEFI boot menu (as BitLocker prefers to not have any third-party signatures in the boot process) – but that's not a new problem at all, and largely unrelated to the certificate change. BitLocker's PCR7 binding has always been strict that way.
On Ubuntu-only machines, can updated to a new version?
Various manufacturers have published the same update through fwupd. I think Ubuntu deploys fwupd by default, so take a look at sudo fwupdmgr get-updates.
As far as I know, the update for the db list (which is the "who can sign an OS" list) is completely generic – signed by Microsoft's KEK CA, not by a manufacturer-specific one – so it should be possible to apply manually even for systems which don't receive it via fwupd.
Updating the KEK list though (which is the "who can issue updates" list) does require the specific manufacturer's signature (using the Platform Key that matches your firmware), but it's generally less important. As long as you apply the db update, the missing KEK update won't prevent any OS from booting.
Finally, you can always set Secure Boot to custom mode and manually manage your own db and KEK, completely bypassing the signature checks.
Are there ways to have a new OS, installed with Secure Boot off, to be accepted as a Secure Boot OS?
If you're able to turn off Secure Boot entirely, then you're almost always able to customize Secure Boot certificates by switching it to "custom" mode (sometimes as a specific option, and sometimes implicitly by deleting the Platform Key PK) which then allows you to update the KEK and db lists in any way you like. Or, depending on firmware, it might offer to install db entries directly from the settings screen.
For example, you can manually install the latest Microsoft UEFI CA to db in order to make Secure Boot recognize a new Windows or Ubuntu version, without having to rely on a proper KEK-signed update from Microsoft or the manufacturer.
Linux users often use this method to do entirely custom, in-house Secure Boot signing (especially on distributions which don't do distro-level signing). See e.g. sbsign on Arch Linux Wiki.
