Linux systems with Secure Boot enabled face a critical deadline: Microsoft's 2011 signing certificate for the shim bootloader expires on September 11, making installation media unbootable after that date. The shim bootloader serves as the first-stage UEFI component that Linux distributions rely on to boot with Secure Boot enabled.

Fedora developer Mateus Rodrigues Costa discovered the issue after spotting warnings in Windows 11 updates. While Microsoft released a 2023 replacement key, millions of systems lack this updated certificate in their firmware databases. Older systems are particularly vulnerable, with some lacking any Microsoft keys entirely.

The LVFS and fwupd tools offer a path forward, enabling firmware updates to add the new certificate. However, roughly 1-2% of update attempts fail due to EFI variable space limitations, requiring BIOS resets. Some vendors have already lost access to their platform keys, creating additional complications for the update process.

Most Linux users can resolve this through firmware updates or temporarily disabling Secure Boot, but the situation exposes ongoing dependency on Microsoft-controlled certificates for Linux boot security. Distribution maintainers face a complex challenge supporting diverse hardware while maintaining Secure Boot compatibility.