PCs without the new certificates could eventually have trouble booting new OSes.
Tl;dr - if you’ve used the computer in the last few years, you’re fine.
If you haven’t, then it on and run Windows update and/or update everything in the windows store by June.
If you do none of that…… doesn’t really matter, your computer will still work as expected.
Step 1 - Choose a Linux distro
Move to Linux
Would Linux have the same issue if secure boot is enabled and the certificate expire?
Secure boot is a useful security measure. But users should have the ability to install and update certs. If hardware (vendors) don’t allow this, it’s going to cause trouble for both Windows and Linux users.
Gives the illusion of security without being secure. Get the drive in a separate machine and, unless encrypted, secure boot is security theatre. Windows login password is similarly useless when the drive can be accessed when attached elsewhere.
Get rid of secure boot, install a granny-safe Linux distribution like Mint and get your drive LUKS encrypted.
Good thing windows encrypts your disk too.
Also if someone has physical access to your machine to do nefarious things tor you’re already fucked.
You’re talking of an attacker with physical access. This can indeed defeats secure boot, but physical access defeat most computer security. In an evil maid scenario even LUKS can be defeated. An attacker with physical access can clone the drive, install a keylogger (hardware or software) and capture the passphrase the next time the machine boots.
Secure Boot can be useful to prevent malware from inserting themselves into the boot process, preventing them from elevating privilege or gaining persistence https://www.xda-developers.com/secure-boot/
Secure Boot isn’t perfect but it’s widely available and is an useful extra layer of protection, on top of disk encryption (eg LUKS).
These are all basically “if your machine is already compromised, they can also get around these other security measures” type exploits though, which are irrelevant.
But how are you gonna play High Guard???
In all that mess and scare last year I just switched secure boot off. It still isn’t clear to me how much of a risk it is, read many different opinions online, but seems not a terribly big risk and I don’t have to worry about this crap.
Secure boot is supposed to help against a malicious agent (e.g. the government, Microsoft) compromising your PC’s security by accessing through another OS.
It wouldn’t help anyway without encryption. Pull the drive and have a look.
Secure boot is supposed to continue your reliance on proprietary software, any security it tacks on is unintentional.
Windows computers have been encrypting drives for years.
