PSA: Secure Boot 2026 June cert expiry can block older NVIDIA GOPs at POST
Right. Finally. I'm thrilled. I was yelling to deaf ears about this problem in many posts, only to hear “NVIDIA good, gives you update, you good, stop yell”.
The new cert was issued in 2023. A VBIOS ROM couldn't have been signed with the cert that hasn't been issued. This means that “older” is by definition at most 2 years old.
At most. Assuming that Microsoft started double-signing the OpROMs on the day of its issuance. No, they suddenly started the whole kipesh about this in this February. In reality, don't expect any video card older than 6 months today to work after July. I could not purchase an RTX3070Ti
for a year (I didn't want to pay $2K for it, and couldn't find any listed at a sensible price that were in stock). I made a compromise with myself at $900: when the RTX5000 series was announced, the prices dropped for a short second. Now it's a year and a half old. And no, it's not signed by the new cert at all. It's an
older NVIDIA card. It's
obsolete. And, since most of NVIDIA cards (that's 90% of video cards in home use) are “older, obsolete cards” now, imagine what's going to happen.
Everyone will need a new GPU card. A
brand new GPU card. The market of used cards is closed, effective now. And if now we're so short of GPUs, think of them as made of pure 100% unobtanium after people realise the scale of the disaster that is unfolding.
Of course, most people wouldn't buy cards whose cost approaches that of a small car. Everybody whose computer allows turning Secure Boot off, will. And Secure Boot was an attempt to address a real problem: rootkits. The BlackLotus incident revealed that… let's put it, not very responsible people who try to break through and plant a rootkit into your PC invented quite advanced techniques. And now they're aware that most computers won't even have SB any more in 9 months. They're getting ready, and many will be, the Dark Web is a vast market. If you leave SB on, your PC will turn into a pumpkin at the twelfth bell. If you turn SB off, your PC will turn into an evil pumpkin, listening for the commands from the control centre to begin an attack (the distributed attack is unnoticeable to the PC owner — it's the scale that makes them work). That's until another rootkit comes in, encrypts your evil pumpkin's disk, and then gives clear instructions on how to pay the ransom. Which you better don't do, as it will be encrypted monthly anyway, by a different actor each time. Neither choice is good. Whoopsie.
The real choice is, either just stop using computers — you can, but don't connect it to the Internet, or buy a video card at a price of a small car so you can have Secure Boot back. You'll eventually be able to grab the last one available at this price. It's not gonna be quick, there are a lot of people ready to spend more money than me or you, but in a few months of shopping you'll be able to get one, if you're lucky (I, for one, did; the only difference is the price). Whoopsie.
NVIDIA will update cards out of warranty? Why would they??? Because otherwise your out-of-warranty card won't work? So what? They completed their contract obligations. By law, the CEO, C-team and the whole business works for the investors, the shareholders. If they give you a free update, they lose a sale. Shareholders would have the full right to sue them, and in fact will, if they update tens of millions of cards and lose this many sales. I'm sorry, but this is how the invisible hand works. NVIDIA owes you and me nothing at all: our cards worked the whole year, the warranty period, which expired, and that's it. NVIDIA owes only to shareholders. And, unlike Microsoft, they didn't push for the ill-conceived Secure Boot, they did not monopolise the signing of boot components and drivers — Microsoft did (with the release of Windows 8; before that, they allowed OEMs to sign).
You can't say that there's even a sliver of NVIDIA's fault. NVIDIA would not give you an update for free even if the law permitted that because they have absolutely no incentive to do that, they made no mistake, and no one may hold them even indirectly responsible for this disaster. Giving you a free update would put them into legal hot water, and they have no arguments to the investors and the Board why they feel obliged to fix at their expense what Microsoft broke. They're disincentivised from updating your VBIOS — doubly, by the market and by law. And they won't. When the press asks, they reply that “they're aware of the issue, and are working with the OEMs.” As if there is anyone in the industry unaware of the issue, or they didn't work with the OEMs every day for the past 30 years. I don't understand how this response could be interpreted as a promise to update tens of millions of cards. People just wish a miracle to happen, so much so that they hear a hard promise to fix the issue in deliberately meaningless responses. Well... what can I say...
