Since September 2025 many users have been unable to install the KEK CA 2023 firmware update. It seems in June affected users may be unable to boot their systems with secure boot enabled. The only “solution” I have found online is to try disabling secure boot which degrades user security.
Does anyone know if a fix is being worked on in time? Or is Ubuntu unable to support secure boot on systems affected by this issue?
The KEK holding compromised keys and being the very bottom level in the chain of trust for your secure boot kind of makes secure boot completely moot.
If the system would allow you secure boot with such a key, how trustworthy would it still be then ?
Ah I wasn’t aware the 2011 keys were compromised. Wouldn’t it still be worth upgrading to KEK CA 2023 to prevent attacks in the future? Or are the new keys also compromised?
That’s what the update, which fails for some, does. And it’s not only about the compromised keys; those are dealt with by revocation. But then you’d be left without valid keys, hence the new KEK CA, which signs those.
BTW, you might be able to install a UEFI update, containing said KEK CA 2023, via the usual manual procedure. But that depends on whether your hardware vendor provides one.