Secure Boot certificate expiration: what actually breaks and when

Secure Boot certs expiring, etcd patching websocket auth, EKS gets rollback, and Linux 7.3 targets NVMe bottlenecks — solid infrastructure week.

// SECURITY FOCUS

Secure Boot certificate expiration: what actually breaks and when

The Microsoft UEFI CA cert that signed most Linux bootloaders expired recently — systems already booted won’t stop, but any reinstall, recovery USB, or PXE scenario hitting unupdated shim or grub binaries will fail Secure Boot validation. The window to keep using existing signed binaries is shorter than the expiration date implies because distros need time to push re-signed replacements through their chains. Fleet ops running automated reinstalls or bare-metal provisioning should verify their boot images are signed against the new cert before a recovery scenario forces the issue.

What to do: Audit your PXE/reinstall images and recovery media now; confirm your distro has shipped re-signed shim/grub binaries and update before the next provisioning run.

  1. Etcd v3.5.32 and v3.6.13 fix a websocket authentication bug — etcd · Jul 1
    SIG-etcd released v3.5.32 and v3.6.13, patching dependency CVEs and fixing a websocket authentication bug where bearer-prefixed tokens caused valid requests to be rejected. Both releases bump to Go 1.25.11 and update OpenTelemetry to v1.43.0 to address CVE-2026-29181 and CVE-2026-39883; v3.6.13 also pulls in golang.org/x/crypto v0.52.0 for additional CVE coverage. A new write-only-skip-check value for –v2-deprecation is the most operationally interesting addition: it lets operators upgrading from v3.5 to v3.6 bypass the startup check that blocks etcd when non-membership v2 data is still present, buying time before write-only-drop-data becomes the default in v3.7. v3.5.32 also backports the non-admin maintenance Status endpoint access from v3.6.12. v3.4 is end-of-life and won’t receive these fixes, so anyone still on it needs to migrate.
  2. Amazon EKS now lets you roll back a Kubernetes version upgrade within 7 days — AWS News Blog · Jul 1
    Amazon EKS now lets you roll back a Kubernetes control plane upgrade within 7 days of the upgrade completing – a capability that open-source Kubernetes doesn’t offer natively. You get one minor version back at a time, matching the incremental upgrade model, and EKS runs pre-rollback cluster insights checks to flag node version mismatches or add-on dependency issues before you proceed. A `–force` flag skips those checks if you need to move fast. For EKS Auto Mode clusters, managed nodes roll back alongside the control plane while respecting pod disruption budgets, and a cancel API lets you abort a node rollback mid-flight if it’s taking too long. Control plane rollback took roughly 20 minutes in the author’s test – comparable to a standard upgrade. Available now in all commercial AWS regions at no added cost; you pay only normal EKS and compute charges. Worth noting: the 7-day window is a hard cutoff, so teams upgrading large cluster fleets need to build that validation period into their rollout schedule.
  3. Linux 7.3 targets a “significant bottleneck” for small direct I/O on PCIe Gen5 NVMe — Phoronix · Jul 1
    Bytedance engineer Fengnan Chang traced a significant bottleneck in 4K random read performance on PCIe Gen5 NVMe SSDs to memory allocations and state-machine overhead in the kernel’s IOmap direct I/O path. The fix introduces a simplified DIO path that bypasses the usual IOmap machinery when the request size is at or below the inode blocksize – covering the common small-I/O case on EXT4 and XFS, provided the inode isn’t encrypted. Testing showed a jump from 1.92M to 2.19M IOPS on Gen5 hardware, with up to 10% gains on EXT4 and XFS under io_uring at higher queue depths. The patch is queued in the VFS tree targeting Linux 7.3 later this year; if your stack is Gen5 NVMe with io_uring and small block workloads, this one’s worth tracking.
  4. Flux 2.9 GA ships a CLI plugin system — Flux CD · Jun 30
    Flux 2.9 GA ships a CLI plugin system (RFC-0013) that lets you install, pin, and version extensions independently of the core binary – two first-party plugins launch with it: Mirror (registry-to-registry sync for Helm charts, OCI artifacts, and images) and Schema (manifest validation against JSON schemas and CEL rules). Server-side apply gets a long-needed field ignore rule via Kustomization.spec.ignore, so Flux stops fighting HPAs and admission webhooks over fields they legitimately own. Other additions include SOPS decryption with the Age post-quantum cipher, Workload Identity auth for HashiCorp Vault and OpenBao (no more long-lived tokens), SSH key support for Git commit signing and verification, and OIDC-secured webhook Receivers. Two breaking changes to check before upgrading: the default Helm post-render strategy flips from nohooks to combined (chart hooks now included in post-rendering), and the v1beta2 image and notification APIs are fully removed – run flux migrate before upgrading or you’ll lose resources. Flux v2.6 is end-of-life.
  5. Rust 1.96.1 released — Rust Blog · Jun 30
    Rust 1.96.1 is out as a patch release fixing three CVEs in libssh2, which is compiled into Cargo – so this affects anyone running Cargo, not just code that explicitly uses libssh2. The article doesn’t detail the specific CVEs or any other fixes beyond that, so check the full release notes before triaging urgency. Update via `rustup update stable`.

// In other news

ai

cloud

culture

  • How Kent Beck shapes the software engineering industry (Pragmatic Engineer) · Jul 1 — Kent Beck argues the core TDD loop – fast feedback, small steps, trust-building – stays relevant as AI generates code, because the discipline is about confidence, not keystrokes.
  • Why your AI bill is bigger than it should be (LeadDev) · Jul 1 — Oversized prompts, uncached repeated context, and unthrottled retries are the main drivers of inflated LLM bills – token hygiene is now a measurable engineering concern, not a finance footnote.

iac

k8s

  • Understanding dynamic resource allocation in Kubernetes (CNCF Blog) · Jul 1 — DRA reached GA in Kubernetes v1.35 and NVIDIA moved their dra-driver-nvidia-gpu into Kubernetes itself, making GPU resource scheduling via structured parameters the new supported path.
  • Support for Istio 1.28 has ended (Istio) · Jul 1 — Istio 1.28 is now fully EOL – no further security backports; any cluster still running 1.28 needs an upgrade path planned now.

linux

obs

sec

web

Patch your boot images, check your etcd auth, and have a good week.

Leave a comment