This is quite interesting — I literally presented about the backstory of this in the last KYOSS meeting (and in a few prior KYOSS meetings, too).
It has to do with how the Microsoft Community certificate is in all desktop/laptop/server firmware these days, and is therefore used to sign the boot loader of many (most?) Linux distros so that you can boot that Linux kernel while your hardware/firmware is in UEFI Secure Boot mode. It turns out that that certificate is going to expire soon. Microsoft created a new one in 2023, but some vendors have been slow to update to include that new certificate in their firmware.
End result: if you’re using UEFI Secure Boot to boot your Linux, you should update your motherboard and/or BMC firmware when your vendor issues an update to include the new Microsoft community certificate. Otherwise, UEFI Secure Boot will stop working (i.e., the Linux boot loader will fail to validate once the certificate expires, and UEFI Secure Boot will refuse to load that Linux boot loader). Additionally, after you update your motherboard and/or BMC firmware to have the new Microsoft community certificate, you’ll need to update your Linux boot loader to a version that is signed by the new Microsoft community certificate.
I checked my own company’s products (Cisco UCS servers); looks like we are shipping BMC firmware that includes both the old and new Microsoft certificates. Yay us! 🤓
The old Microsoft community certificate expires June 27, 2026.
The new Microsoft community certificate started June 13, 2023 (and expires June 13, 2038).
https://www.tomshardware.com/tech-industry/cyber-security/microsoft-signing-key-required-for-secure-boot-uefi-bootloader-expires-in-september-which-could-be-problematic-for-linux-users