On , the root certificates for shims issued in 2011 will expire. This article describes the possible impact and how to avoid issues with Secure Boot.
Introduction
UEFI Secure Boot ensures that only an operating system signed by a trusted party can be booted. The device’s motherboard checks if the operating system is signed by a recognized authority, e.g., by Microsoft. It performs these checks using the certificates stored in its factory-installed UEFI Secure Boot database. As Linux systems like IGEL OS do not have a Microsoft signature, the Shim mechanism has been developed. The Shim is a part of the operating system package and acts as the first-stage bootloader, positioned between the motherboard firmware and the operating system bootloader. The Shim has the signature from Microsoft, and the Microsoft certificate was pre-installed by the hardware vendor. In consequence, your device trusts a Microsoft-signed Shim.
Because of security incidents with the original Microsoft UEFI Secure Boot certificates issued in 2011, Microsoft issued new certificates in 2023. As a consequence, the Shim included in IGEL OS must be updated so that Secure Boot remains functional at any rate. To make sure that IGEL OS can be booted on machines with both the Secure Boot certificates from 2011 and 2023, we offer a dual-signed Shim.
Expected Impact
-
If you are running the IGEL OS versions listed below, no impact is expected.
-
The recommendations in Downgrade Limit on IGEL OS 12.7.1 or Higher are still valid.
IGEL OS Versions with Dual-Signed Shim
The following versions of IGEL OS have a dual-signed Shim so they can be used both with a Secure Boot certificate from 2011 and from 2023:
-
IGEL OS 11.11.150
-
IGEL OS 12.8.1 LTS
-
IGEL OS 12.9.0
Action Required
-
If your hardware has a Secure Boot certificate from 2011, the lowest recommended IGEL OS versions are:
-
IGEL OS 11.10.410
-
IGEL OS 12.7.2
-
-
If your hardware only has a Secure Boot certificate from 2023, use an IGEL OS version listed under IGEL OS Versions with Dual-Signed Shim.