Key facts
- Three critical cryptographic keys for Secure Boot expire on June 24.
- Secure Boot verifies digital signatures of boot-time software to prevent malware.
- The expiration leaves Windows and Linux systems vulnerable to new UEFI threats.
- Microsoft is updating Windows, and Linux distributors are updating bootloader shims.
- LogoFail vulnerabilities prompted the need for these key updates.
Users of Windows and Linux operating systems are approaching a critical deadline to update cryptographic keys that secure their systems during the boot process. On June 24, three Microsoft-signed certificates that are fundamental to Secure Boot will expire. Secure Boot is a security feature designed to prevent firmware-based malware, known as bootkits, from infecting systems by verifying the digital signatures of all code loaded at startup.
Bootkits are particularly pernicious as they load before the operating system and anti-malware software, making them difficult to detect and remove. They can survive OS reinstalls and reinfect systems. Historically, bootkits have evolved from targeting BIOS and MBR to more advanced UEFI systems, with notable real-world examples like LoJax and MosaicRegressor.