Secure Boot and Expiring Microsoft Keys

Jacob_Haddon · July 20, 2025, 1:38pm

Folks, I’m looking for help / clarification on the news going around about expiring Microsoft keys for secure boot. While I am an experienced computer user, I’ll admit firmware is at the very edge of my knowledge.

i’ve seen a few posts, such as this one, that the keys used for secure boot from 2011 are going to expire and at minimum need to be updated to the 2023 ones (I think), OR, as I’ve seen in a few posts here, there is a way to roll your own as well (which are fine? maybe?)

To be honest, I’m not sure if any of this even applies to my Framework computer.

So I’d like to know:

How do I know if this is a concern for my computer?
How do i check which keys I am using?
If needed, how do I update them?

I am on Fedora, Framework 13, 12th gen i5. But that said, I would imagine i’m not the only one who will have this question, so if there are general guidance, i think that would be appreciated.

Thanks for any help!

2disbetter · July 21, 2025, 5:47am

This will need to be something that Fedora provides to you. They are the one using the key as part of their shim.

You can access secure boot via the bios options. (F2 at boot) There you can look at the installed keys, etc.

Fedora, the one reliant on this security key to build their shim, would be the one that needs to address that.

However, one big obvious here is that you can avoid all of this by just disabling secure boot. So even if the key expires and you couldn’t boot with secure boot on, you can always boot with it off.

UhOh · July 22, 2025, 9:30pm

Framework has already added them to their recent BIOS versions (they were included out of the box on my FW 13 AI 300 model), you can verify they’re present by booting into UEFI settings → “Administer Secure Boot” and then checking the KEK and DB sections for the Microsoft KEK/UEFI CA 2023 and Windows UEFI CA 2023 entries. Even if they’re not included in your BIOS you’ll eventually get a separate update through fwupd that loads them.

next_to_utter_chaos · July 23, 2025, 6:00am

And I just got the update (2011 → 2023) offered by fwupdmgr refresh & fwupdmgr get-updates for the 3rd party Microsoft Key:

Description:      
        This updates the 3rd Party UEFI Signature Database (the "db") to the latest release from Microsoft. It also adds the latest OptionROM UEFI Signature Database update.

And efi-readvar -v db | grep "UEFI CA" seems to hint that the keys got updated successfully:

C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
C=US, O=Microsoft Corporation, CN=Microsoft UEFI CA 2023
C=US, O=Microsoft Corporation, CN=Microsoft Option ROM UEFI CA 2023

system · January 19, 2026, 6:01am

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Microsoft KEK update availability? Community Support other-issues , framework-laptop-16-amd-7040	13	1252	December 3, 2025
13th Gen Intel Bios update for new secure boot keys Framework Laptop 13 windows , bios , framework-laptop-13-intel-13th	3	75	February 13, 2026
Does secure boot on the 12 require microsoft keys? Framework Laptop 12	10	592	July 24, 2025
[RESPONDED] Does Secure Boot require Microsoft keys? Framework Laptop 16 framework-laptop-16-amd-7040	12	2757	January 12, 2026
Will upcoming firmware updates require Framework secure boot signing keys? Framework Laptop 16 bios , framework-laptop-16-amd-7040 , graphics-module-amd-rx7700s	8	425	September 30, 2025

Secure Boot and Expiring Microsoft Keys

Related topics