sudo mokutil --kek
This is what appears for me:
C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation KEK CA 2011
Issuer: C=US, O=Microsoft Corporation, CN=Microsoft RSA Devices Root CA 2021
C=US, O=Microsoft Corporation, CN=Microsoft Corporation KEK 2K CA 2023
Do I need to disable Secure Boot, or am I not affected?
You have both old and new Secure Boot keys (2011 and 2023) installed.
But anyhow with Secure Boot enabled in UEFI (additonal to the already descriped possible boot problems) it can happen that you get problems with several hardware and software components: for example with Proprietary drivers (NVIDIA, certain WLAN chips) require MOK enrollment.
Older or more exotic hardware can cause problems.
Certain virtualization solutions, kernel modules, and custom kernels are blocked.
Secure Boot enabled should help against bootkit attacks.
The bootkit attacks are complex and resource-intensive. They are used against:
High-priority targets (governments, armaments, journalists)
Corporate infrastructure
Targeted intelligence operation
If you are not part of these targets it is better to have secure boot disabled.
A typical home user is not a worthwhile target for a bootkit attack – the effort is disproportionate. Classic threats such as phishing, ransomware via email attachments, or compromised downloads are more realistic and do not require the complexity of a bootkit.
If you use for examle a laptop outside your home, it is more usefull to set a BIOS password and use end to end Hard disk encryption (LUKS).
I don't understand at all why this security boot is needed?
so it will do more harm than good.
let's take an example, I have an RTX4060Ti video card, it only has proprietary drivers, that is, the Linux kernel itself cannot pull them up directly when the system starts, they are pulled up later and then with nuances there may be missing sensors and other problems after updating the drivers, that is, you need to disable security boot so that new drivers are registered in the kernel.
isn't it easier to disable it?
knowing Linux - there is no access to boot here.
if something goes wrong, no one forbids downloading from the official website of your motherboard manufacturer and updating this boot.
In principle, you can manually register these drivers, but this is a very, very difficult task, especially for new users who do not understand this at all - that is why all distributions advise turning off this boot so that the Nvidia drivers are normally registered in the kernel.
It is not only when updating drivers that this situation occurs, the kernel itself is also updated and running around turning off and on the boot every time is somehow not very good or registering after each update.
I ALWAYS HAVE IT DISABLED, ALL NVIDIA DRIVERS START UP NORMALLY AND EVERYTHING IS WONDERFUL.
So here I will note that those who have Windows simply do not download anything from incomprehensible sites, so as not to break your boot.
secure boot is a good feature to protect against rootkits. you may or may not care about rootkits. if you care about rootkits and want to defend against them, it is safer to enable secure boot and look up how to manually sign the driver that you need to be compatible with secure boot.
then I am not sure what I should do in order to get the updated secure boot certificates
Did you not watch the Christopher Barnatt Explaining Computers video I posted above? It explains how to check your key status and how to resolve it if necessary. I think you may find that your keys have been updated ok anyway, but personally I'm in the "it's unnecessary overkill" and have disabled my secure boot so that I run maybe a tiny risk of a rootkit but have no fear of my boot failing by reason of expired keys.
Yes, I watched the video. Please see my first comment.
We always recommend Linux users disable "Secure Boot" in the system BIOS, as its only a feature for Windows, and is not relevant to Linux. Using "Secure Boot" on Linux leads to unnecessary problems, which are not an issue, when the feature is disabled.
Perhaps I misread your comment. Apologies.
I don't think you can catch rootkits on Linux, such files need execute permissions or a password to get to /root
For Windows there is another specific feature called kernel integrity.
Linux has a key sum control system, Windows has a Microsoft Defender scan (offline mode).
I don't know where else you can pick up something if you don't load it on all sorts of incomprehensible sites, all modern browsers like Chrome already have a filter and these security checks, I think some more security extensions will come in handy.
Um, what can they steal from me?
In Chrome, to get passwords, I have a secret phrase "password"
I can also reset the folder like tdata from Telegram to someone, there I also have a local password for the client, no one will log in without a password, and after a couple of times I will get a notification and I will reset the session - by removing the device.
Passwords, correspondence and files are safe, I don't know what else can be stolen there, hmm, my downloaded games from Steam?
I have all the important data on another hard drive, which is completely disconnected from the system.
Actually, I will not be interesting to hackers, they will not steal anything... instead of wasting time on me - they can harm many others.
We're not talking about these rootkits like in 2005-2010, wait a second, we're in 2026 and most of this.. no longer makes sense, because we all know how to remove them through utilities without booting the system. For normal hackers, it's much easier to write your own software or gain the trust of developers, as was the case with Fedora and Red Hat, where the vulnerability was noticed by one user, or rather, a Windows developer.
I think few people know about this situation or are familiar with the nickname Jia Tan.
PS: If a person doesn't know how to ensure reliable security, it's their problem and no security software or antivirus will help.
as you have special security needs, here a summary facts:
If you have a dual boot system with installed windows, it is easy and reliable to install the new Secure boot keys within Windows PowerShell over a Admin Terminal.
If you don't have Windows installed and need the new keys anyhow, you could temporary install windows for that reason.
Let me know, if you need the secure boot key 2023 installation tutorial under windows.
