Rocky Linux and the Changing Secure Boot Landscape
·2 mins
I wrote this for Rocky Linux because the Secure Boot ecosystem is going through a real transition and it is easy to get caught off guard. The Microsoft 3rd Party UEFI CA that has signed Linux shims expires in 2026, so Microsoft is issuing new CAs and updating the KEK in the chain of trust. This is not Rocky-specific, it affects any operating system relying on a signed shim.
Originally published on Rocky Linux Read the full article →A few things I wanted people to walk away with:
- Rocky is shipping dual-signed shims. The same binary carries both the old 2011 CA and the new 2023 CA signatures, so it covers the transition, though whether it boots depends on your firmware being able to validate multiple PE signatures.
- Check what your firmware actually has enrolled. Use
mokutil --dborefi-readvar -v dbandefi-readvar -v KEKbefore OEM firmware updates reach you, and watch for the new Windows UEFI CA 2023 and Microsoft Corporation KEK 2K CA 2023. - Do not manually enroll the new KEK or CAs without a recovery plan. Modifying UEFI variables can leave a system that will not boot at all; let vendor firmware updates via
fwupdhandle it where possible.
This rollout unfolds gradually through 2026 and beyond, so track your vendor’s firmware release notes rather than expecting a single cutover.