0:00
On June 24th, something is going to
0:02
happen that the mainstream technology
0:03
press has almost entirely ignored, that
0:06
Microsoft has buried in technical
0:08
documentation written for hardware
0:10
manufacturers rather than human beings,
0:12
and that will affect tens of millions of
0:14
people who have never heard the term
0:15
secure boot in their lives, and who are
0:17
going to wake up that morning to find
0:19
that their computer no longer works the
0:21
way it did the night before. Not slower,
0:23
not glitchier, not missing a feature
0:25
they occasionally used. For a
0:26
significant portion of the people
0:28
affected, their computer is simply going
0:30
to refuse to start. The operating system
0:32
they chose, the one they installed
0:33
deliberately, the one they configured
0:35
carefully, the one that runs their work
0:37
and stores their files and powers the
0:39
tools they depend on every single day,
0:41
is going to hit a wall. A wall that
0:43
Microsoft built. A wall that Microsoft
0:45
is enforcing through a mechanism so
0:47
deeply embedded in modern computer
0:49
hardware that bypassing it requires
0:51
technical knowledge most people do not
0:54
and some cases cannot be bypassed at
0:55
all. That wall has a name. Microsoft
0:58
calls it a secure boot policy update.
1:00
The Linux community calls it what it
1:01
actually is. An existential threat to
1:03
the ability of non-Microsoft operating
1:05
systems to run on Microsoft-influenced
1:07
hardware. And the date it goes fully
1:09
into effect is June 24th.
1:12
By the time this video is over, you're
1:13
going to understand exactly what secure
1:14
boot is, what Microsoft is changing, why
1:17
the timing of this change is not
1:18
coincidental, who is affected, the real
1:21
consequences are for the tens of
1:22
millions of people who run Linux either
1:24
as their primary operating system or
1:26
alongside Windows, and what you can do
1:28
right now to protect yourself, protect
1:30
your system, and make an informed
1:32
decision before a decision gets made for
1:34
you by a corporation that has spent 40
1:36
years trying to ensure that the answer
1:38
to the question of which operating
1:39
system you use is always, inevitably,
1:42
unavoidably, Windows. Begin with a
1:44
number. 32.8 million. That is the most
1:47
conservative credible estimate of the
1:49
number of people worldwide who use Linux
1:51
as their primary desktop operating
1:54
That number has been growing every year
1:56
for the past decade, accelerating
1:57
sharply in the past 3 years as
2:00
dissatisfaction with Windows 11's forced
2:02
hardware requirements, its mandatory
2:04
Microsoft account setup, its aggressive
2:06
AI feature rollout, and its escalating
2:08
data collection practices have pushed
2:09
millions of users toward alternatives.
2:12
Add to that number the many millions
2:13
more who run Linux in a dual boot
2:15
configuration alongside Windows, who
2:17
boot into Linux for development work or
2:19
privacy-sensitive tasks, or simply
2:21
because they prefer the experience. And
2:23
the total population of people affected
2:25
by what is implementing on June 24th is
2:28
not a small community of hardcore
2:29
technical enthusiasts operating at the
2:31
margins of mainstream computing. It is a
2:33
global population of ordinary people,
2:36
students, developers, small business
2:37
owners, researchers, writers, activists,
2:40
and privacy-conscious individuals who
2:42
made a deliberate choice to use software
2:44
that respects their autonomy, and who
2:46
are about to discover that the hardware
2:48
their software runs on is not as neutral
2:50
as they assumed. To understand what is
2:52
happening, you need to understand what
2:54
secure boot actually is, because the
2:56
name is doing a significant amount of
2:58
political work, and understanding the
2:59
mechanism beneath the name is essential
3:02
for understanding why this particular
3:04
change is so consequential.
3:06
Secure Boot is a feature of the UEFI
3:09
firmware, the low-level software that
3:11
runs on your computer's motherboard
3:12
before any operating system loads. It
3:14
was introduced as part of the UEFI
3:16
specification in the early 2010s, and it
3:19
was sold to the public and to regulators
3:22
as a security feature.
3:23
The stated purpose was to prevent
3:25
malicious software from inserting itself
3:26
into the boot process before the
3:28
operating system loads, a category of
3:30
attack called a bootkit or rootkit that
3:33
is genuinely dangerous and genuinely
3:35
difficult to detect and remove.
3:37
Secure Boot addresses this by requiring
3:39
that every piece of software involved in
3:41
the boot process, from the bootloader to
3:43
the operating system kernel, be
3:45
cryptographically signed with a key that
3:46
the firmware recognizes as trusted. If a
3:49
piece of boot software is not signed
3:51
with a recognized key, the firmware
3:53
refuses to load it, The the machine will
3:55
not start. That is the mechanism.
3:57
And in the abstract, as a security
3:59
concept, it is sound.
4:01
Cryptographic signing of boot components
4:03
is a legitimate security technique.
4:05
The problem that the problem that
4:06
critics raised in 2012 when secure boot
4:08
was first mandated for Windows 8
4:10
certification, and that has never gone
4:12
away, is the question of who controls
4:14
the keys. Because a cryptographic trust
4:17
system is only as trustworthy as the
4:18
institution that manages the root of
4:21
And in the case of secure boot on the
4:23
overwhelming majority of personal
4:24
computers sold in the world, the
4:26
institution that manages the root of
4:28
trust is Microsoft. Microsoft operates
4:31
what is called the Microsoft UEFI
4:33
certificate authority. This is the
4:35
organization that signs the keys that
4:37
firmware trusts. When a hardware
4:38
manufacturer wants to ship a computer
4:40
with secure boot enabled, they include
4:42
Microsoft's certificate authority
4:44
certificate in the firmware's trusted
4:46
key database. This means that anything
4:48
signed by Microsoft's certificate
4:49
authority will boot, and anything not
4:51
signed by it will not.
4:53
For Windows, this is straightforward.
4:55
Microsoft signs Windows, Windows boots.
4:58
For Linux, the situation has
4:59
historically been more complicated and
5:00
more fragile. And June 24th is the date
5:03
that fragility becomes a crisis.
5:05
Linux distributions have historically
5:07
navigated the secure boot environment
5:09
through a mechanism called shim. Shim is
5:11
a small bootloader signed by Microsoft's
5:13
certificate authority that acts as an
5:15
intermediary. It loads first because it
5:17
carries Microsoft's signature, and then
5:19
it verifies and loads the actual Linux
5:21
bootloader using Linux's own keys.
5:23
This chain of trust allowed Linux to
5:25
boot on secure boot enabled hardware
5:26
without requiring users to disable
5:28
secure boot entirely, and without
5:30
requiring Microsoft to directly sign
5:32
every Linux distribution. Shim was an
5:34
engineering solution to a political
5:35
problem, and it worked imperfectly and
5:37
with ongoing maintenance overhead for
5:40
What Microsoft is changing on June 24th
5:42
breaks shim. Not by directly attacking
5:44
it. Not by revoking the signature that
5:49
By implementing a new secure boot policy
5:51
layer, referred to in Microsoft's
5:53
technical documentation as secure boot
5:55
advanced targeting or SBAT, that adds an
5:58
additional revocation mechanism capable
6:00
of blocking specific versions of shim
6:02
and other boot components, even if those
6:04
components carry valid cryptographic
6:07
The revocation list that Microsoft is
6:08
pushing through Windows Update on June
6:10
24th includes shim versions that the
6:13
overwhelming majority of currently
6:14
installed Linux distributions depend on
6:17
to boot. When that revocation list lands
6:19
on machines that have Windows installed
6:21
alongside Linux, the firmware will
6:23
refuse to load the affected shim
6:24
versions. The Linux boot process will
6:26
fail. The machine will display an error.
6:29
And for users who do not understand what
6:31
happened, the experience will be
6:32
indistinguishable from their computer
6:36
Now Microsoft will tell you, and has
6:37
told the Linux community in response to
6:39
the backlash that erupted when
6:41
developers first analyzed the
6:42
implications of this change, that this
6:44
is a security update.
6:46
That the shim versions being revoked
6:47
have known vulnerabilities. That the
6:49
SBAT revocation mechanism is a
6:51
legitimate and necessary tool for
6:53
maintaining boot security.
6:55
And here is the uncomfortable truth
6:56
about that argument. It is not entirely
6:58
wrong. Some of the shim versions being
7:00
targeted by the revocation list do have
7:02
documented security issues.
7:04
The SBAT mechanism is technically sound.
7:07
Boot security is a real concern.
7:09
But the implementation of this change,
7:11
the way Microsoft has chosen to deploy
7:13
it, the timeline, the communication, the
7:16
complete absence of any meaningful
7:17
effort to ensure that the change does
7:19
not render dual boot systems unbootable,
7:21
tells you something important about
7:22
whose security Microsoft is primarily
7:25
concerned with. If Microsoft's genuine
7:27
priority were boot security across all
7:28
operating systems running on Windows
7:30
certified hardware, the company would
7:32
have coordinated with Linux distribution
7:33
maintainers months in advance to ensure
7:35
updated shim versions were deployed
7:37
before the revocation list went live. It
7:39
would have built detection into the
7:40
Windows Update process to identify dual
7:43
boot configurations and warn users
7:44
before applying changes that would break
7:46
their Linux installation.
7:48
It would have provided a clear,
7:49
prominent, plain language notification
7:51
to users of affected systems explaining
7:53
what was changing and what they needed
7:55
to do. Microsoft did none of these
7:56
things. The Linux community learned
7:58
about the June 24th deadline not from
8:01
Microsoft communications, but from
8:03
developers who read firmware
8:04
specification documents and update
8:06
manifests and reverse engineered the
8:10
The people most affected by this change
8:11
are the last people Microsoft told about
8:13
it. That is not what security
8:15
prioritization looks like. That is what
8:17
competitive prioritization looks like.
8:19
Linux is the primary alternative to
8:20
Windows on personal computer hardware.
8:24
Microsoft's market share is the thing
8:26
that grows when Linux's does not.
8:28
The mechanism that is being used to
8:30
implement this change happens to be a
8:34
But the effect of the change is to make
8:35
Linux harder to run on the hardware
8:37
Microsoft influences. And the specific
8:39
implementation choices Microsoft made
8:42
guaranteed maximum disruption to
8:43
existing Linux users.
8:45
Those facts sit together and they do not
8:47
suggest coincidence. Let us talk about
8:49
who is specifically affected and how.
8:52
Because the impact is not uniform and
8:54
understanding your specific situation
8:56
determines what you need to do. If you
8:58
run Linux exclusively, no Windows
9:00
installation on the machine at all,
9:02
and you have already disabled secure
9:04
boot in your firmware settings, you're
9:06
not directly affected by the June 24th
9:08
update because the SPUR revocation list
9:10
is delivered through Windows update and
9:12
your machine has no Windows installation
9:14
to deliver it through.
9:15
However, you should still pay attention
9:17
to the situation because the revocation
9:19
list, once it exists and is deployed on
9:21
Windows machines, can propagate to
9:23
firmware on machines that were
9:24
previously Windows machines and whose
9:26
firmware retains the updated revocation
9:29
database even after Windows is removed.
9:31
If you run Linux in a dual boot
9:32
configuration with Windows on the same
9:34
machine, you are in the highest risk
9:36
category. Your machine has Windows
9:38
Update running. Windows Update will
9:39
deliver the SBAT revocation list on or
9:42
around June 24th. If your Linux
9:44
distribution uses a shim version on the
9:46
revocation list, your Linux installation
9:48
will fail to boot after the update. This
9:50
is the scenario affecting the largest
9:52
number of people and the one requiring
9:54
the most urgent attention.
9:57
If you run Windows only but have been
9:58
considering trying Linux, the June 24th
10:01
change raises the barrier to entry for
10:03
dual boot experimentation. And that is
10:05
worth understanding before you make any
10:07
hardware or software decisions.
10:09
If you are a developer or system
10:10
administrator managing Linux deployments
10:13
in environments where Windows is also
10:14
present, the implications extend beyond
10:17
your personal machine to every system in
10:19
your environment and the action plan
10:20
below applies at scale. Here's what you
10:22
need to do starting right now before
10:24
June 24th arrives. The first step is to
10:27
determine whether your Linux
10:28
distribution uses a shim version
10:30
affected by the revocation list. The
10:32
specific shim versions being revoked are
10:34
documented in a public GitHub repository
10:37
maintained by the Linux shim development
10:38
team and the major Linux distribution
10:41
forms, including Ubuntu, Fedora, Debian,
10:44
Mint, Arch, and Manjaro have all
10:46
published advisories in the past several
10:48
weeks detailing whether their current
10:50
stable releases are affected and what
10:53
Check your distribution's official
10:54
forums and security advisory pages for a
10:56
post specifically addressing the June
11:00
If your distribution has released an
11:01
updated shim package that is not on the
11:04
revocation list, installing that update
11:06
before June 24th is the single most
11:08
important action you can take. The
11:10
second step is to back up everything on
11:12
your Linux installation right now today
11:14
before anything else. Use your
11:16
distribution's backup tools or live USB
11:19
environment running a tool like
11:20
Clonezilla to create a complete image of
11:23
your Linux partition. Store this on an
11:25
external drive that you disconnect and
11:27
physically set aside.
11:28
If the worst happens and your system
11:30
becomes unbootable on June 24th, having
11:32
a current backup means you lose hours of
11:34
recovery time rather than losing data.
11:37
The third step is to note your current
11:38
firmware settings before anything
11:41
Restart your machine now and enter your
11:43
UEFI firmware setup, typically accessed
11:45
by pressing F2, F12, delete, or escape
11:48
during startup depending on your
11:49
hardware manufacturer.
11:51
Navigate to the secure boot settings and
11:52
write down or photograph exactly what
11:54
you see. Which secure boot mode is
11:56
active? What keys are enrolled? Whether
11:58
there is a custom key option?
12:00
This information is your reference point
12:02
and you will need it if you have to
12:03
perform manual recovery. The fourth step
12:05
involves temporarily pausing Windows
12:07
update to give yourself time to
12:08
implement the other steps without the
12:10
revocation list landing before you are
12:13
Go to Windows settings, then Windows
12:15
update, then advanced options, then
12:17
pause updates, and set the maximum
12:19
available pause duration.
12:20
This buys you a window to ensure your
12:22
Linux shim is updated before the
12:23
revocation list arrives. Once you have
12:25
confirmed your Linux installation has an
12:27
updated shim, you can resume updates.
12:30
The fifth step is specific to users
12:32
whose Linux distributions have not yet
12:33
released an updated shim or whose update
12:35
repositories have not yet propagated the
12:39
In this situation, you have two options.
12:41
The first is to disable secure boot
12:43
entirely in your firmware settings,
12:44
which allows Linux to boot without any
12:46
shim verification chain at all.
12:48
Disabling secure boot does reduce one
12:50
layer of boot security, but for personal
12:52
computers not operating in high security
12:54
enterprise environments, the practical
12:56
security impact is modest and the
12:58
alternative, a non- booting Linux
13:00
installation, is worse. The second
13:02
option, more technically complex but
13:04
more security preserving, is to enroll
13:06
your own machine owner key in the
13:07
firmware and sign your Linux bootloader
13:11
This requires using the mokutil command
13:13
line tool present in most Linux
13:14
distributions and following a process
13:16
that takes approximately 30 minutes and
13:19
is documented in detail on the Arch
13:20
Linux wiki and the Ubuntu community
13:22
documentation. Both are accurate guides
13:25
applicable to most distributions with
13:27
minor modifications.
13:29
The sixth step applies to anyone who
13:30
discovers on or after June 24th that
13:33
their Linux installation no longer
13:35
The recovery process begins with a Linux
13:37
live USB, a bootable Linux environment
13:39
on a USB drive that does not depend on
13:41
your installed system's shim. Boot from
13:44
the live USB, which will work because it
13:46
carries its own boot environment
13:48
independent of the revocation list
13:49
issue. From the live environment, you
13:51
can access your installed Linux
13:53
partition, update the shim package if an
13:55
updated version is now available for
13:57
your distribution, reinstall the boot
13:59
loader, and restore boot functionality.
14:01
The process is documented step-by-step
14:03
for every major distribution, and the
14:05
Linux community forums will have
14:07
distribution-specific
14:08
guides available by June 24th from
14:10
people who have tested the recovery
14:13
You will not be alone in navigating
14:14
this, and the documentation will be
14:16
there when you need it.
14:17
There is a longer conversation that this
14:19
moment demands, one that goes beyond the
14:21
technical specifics of shim and SBAT and
14:23
revocation lists. And that conversation
14:27
about who controls the hardware you paid
14:29
for, about who controls the firmware
14:31
embedded in that hardware, about who
14:33
controls the chain of trust that
14:34
determines what software your machine is
14:36
permitted to run. Secure boot, as
14:38
implemented on personal computer
14:39
hardware, answers all of those questions
14:41
the same way. Microsoft. Microsoft
14:44
controls the root certificate, Microsoft
14:46
controls what gets signed, Microsoft
14:47
controls what gets revoked. Microsoft
14:49
controls the timeline and the
14:51
communication and the implementation
14:52
choices that determine how that control
14:54
is exercised. And the consequence of
14:56
that control, demonstrated concretely on
14:58
June 24th for everyone paying attention,
15:01
is that Microsoft can make a decision in
15:02
Redmond, Washington, push it through a
15:04
Windows update mechanism on hundreds of
15:06
millions of machines simultaneously, and
15:09
render the Linux installations of tens
15:11
of millions of people non-functional
15:13
without asking permission, without
15:15
providing meaningful advance notice to
15:16
affected users, and without bearing any
15:18
of the consequences that those users
15:20
will face when they sit down at their
15:22
computers on the morning of June 25th
15:25
and find that something they built,
15:26
something they configured, something
15:28
they chose is simply gone.
15:31
That is what control over the boot layer
15:33
means in practice. It means that the
15:35
fundamental question of whether your
15:36
computer starts is not answered by you.
15:39
It is answered by Microsoft.
15:41
The Linux community has been fighting
15:42
this battle for over a decade since the
15:44
first secure boot mandates appeared. In
15:46
Windows 8 certification requirements and
15:48
critics warned that the mechanism would
15:50
eventually be used exactly this way.
15:52
For most of that decade, the fight
15:54
looked like paranoia to casual
15:57
Secure boot affected a small number of
15:58
edge cases. The shim solution worked
16:00
well enough. The theoretical threat
16:02
remained theoretical.
16:03
June 24th is the moment the theoretical
16:05
becomes concrete. It is the moment that
16:08
validates a decade of warnings from
16:09
developers and freedom advocates and
16:11
security researchers who argued that
16:13
giving any single company control over
16:15
the boot layer of the world's personal
16:17
computers was a decision whose
16:19
consequences would eventually be felt.
16:21
Those consequences are being felt now by
16:23
tens of millions of people who never
16:25
heard the warnings because the warnings
16:27
were written in technical language and
16:29
technical forums for technical
16:31
The solution, the long-term structural
16:33
solution, is not a settings change or a
16:35
shim update. It is hardware that is
16:37
genuinely open, firmware that is
16:39
community controlled, and boot security
16:41
mechanisms that do not route trust
16:43
through a single corporate certificate
16:44
authority with its own competitive
16:46
interests in the operating system
16:47
market. Projects like Coreboot,
16:50
Libreboot, and the work being done by
16:52
the open firmware community point toward
16:53
that future. They are not the mainstream
16:55
yet. They require technical
16:57
sophistication to implement that most
16:59
users do not have, but they exist, they
17:01
are maturing, and the events of June
17:02
24th are the kind of concrete
17:04
demonstration of why they matter that
17:06
moves projects from niche to necessary.
17:08
For right now, for the 32 million Linux
17:10
users and the many millions more running
17:12
dual boot configurations who need to do
17:14
something practical before a deadline
17:15
that is measured in days, The action
17:17
plan above is your path through this.
17:20
Check your distribution's shim update
17:21
status. Install the update if it exists.
17:24
Back up your system completely. Note
17:26
your firmware settings. Pause Windows
17:28
update until your shim is confirmed
17:30
updated. If no update exists yet,
17:33
disable secure boot or enroll your own
17:36
If you are reading this after June 24th
17:38
and your system no longer boots, use a
17:40
live USB to access your partition and
17:42
follow your distribution's recovery
17:45
None of these steps are beyond the
17:46
capability of anyone who installed Linux
17:48
in the first place. None of them require
17:50
expertise beyond what you already
17:51
demonstrated when you chose to run a
17:53
non-Microsoft operating system on your
17:56
What they require is time and attention
17:58
and the awareness that a deadline is
17:59
coming that will not wait for you to get
18:01
around to it. The exodus that gives this
18:03
video its name is not inevitable. It
18:05
does not have to be your story,
18:07
but it will be the story of every Linux
18:09
user who did not know this is coming and
18:11
did not act before it arrived. You know
18:13
now. Act before June 24th.
18:17
Your system, your files, and your
18:18
freedom to choose your own operating
18:20
system are worth 30 minutes of your
