[GoLUG] Microsoft's Secure Boot UEFI bootloader signing key expires in September, posing problems for Linux user
Kyle Terrien
kyle at terren.us
Sun Sep 7 20:19:15 EDT 2025
On Sun, Sep 07, 2025 at 08:08:24AM -0400, Steve Litt wrote:
> 1) Certain computer vendors and models had UEFIs that would brick the
> machine if you erased your /boot directory.
I might be thinking of something else, but this sounds like the
efivars thing.
TL/DR: There is a virtual filesystem that exposes the motherboard’s
EFI variables, and if it is wiped (e.g. with an accidental rm -rf),
then most motherboard BIOSes will go completely belly up upon the next
POST.
> efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,nosuid,nodev,noexec,relatime)
Hmm... it’s still mounted rw on Debian 13. I kinda wish the
convention was to mount /boot, /boot/efi, and efivars as ro unless
there is a package manager transaction that needs to update something.
Funtoo did it, at least with /boot, and it was a nice extra layer of
security.
--
[*] Kyle Terrien
Terrenus => from the Earth, to the Cloud
https://terren.us/
Dilexisti justitiam, et odisti iniquitatem. -- Psalmus 44:8
More information about the GoLUG
mailing list