Re: Debian live boot corrupting secure boot
Il 02/10/2023 18:45, Max Nikulin ha scritto:
At least a warning "I'm going to blacklist something, do you want to
continue?".
It is just speculation. To show a warning you need to execute some code.
Yes, but I would trust a code that asks before doing some potentially
disruptive change.
I don't want to consider a live environment like a virus. I'd like to
considere it the opposite, a "safe thing" that leaves thing untouched.
Yes, I do. My idea is to build custom image of old Clonezilla with
EFI files signed by you own keys. The downside is that you need to
install your keys to every box where you are going to boot your images.
Doesn't seem practical. I am the mantainer of that disk image: I keep
it updated, I keep it tested after updates and after modifications I
get from applications' mantainers.
You may ask Clonezilla developers to make an image with old version and
new grub-signed and shim-signed. I think, you even could do it yourself.
For now, it seems more practical to use old Clonezilla. I don't have
such control on the deploying chain (i.e. what version other technician
use), so I have to point towards compatibility.
For security: if Asus and Microsoft (usual "house owners") are happy
with a certain blacklist, I don't feel myself culprit of "making the
machine less secure" if i *don't load* a Linux version that blacklists
older ones.
Don't forget that the only times I break secure boot is when I test news
Clonezilla versions.
Now 2.8.1-12 works. It's fast, it loads without issues on the machines
where I need it. In few words, it does its job. Perhaps it's also
forward compatible (I didn't test with an image taken from the latest,
for some version it was compatibile).
I still hope that performance issue is fixed in future releases, it's
not wise taking for sure that 2.8.1-12 will work forever, on other
machines etc. It could be that in 2 years a chipset not supported come out.
But during last week I changed my plan. Before was "start to use new
Clonezilla as soon as it is fixed".
Now it's "Good when it's fixed, but I'll use 2.8 as long as it works".
But neither Asus (bios from start of September) nor Microsoft (Windows
11) do that blacklisting.
Do you mean Windows install on hard drive or Windows install image?
Machine comes with Windows 10 pre installed, and then it's updated from
Windows update. Then I installed Windows 11 with upgrade assistant.
So far, no blacklist of old Clonezilla.
Do you mean that installing Windows 10 or 11 from scratch could behave
differently?
Notice, it is still just a hypothesis that your issues are caused by
new keys and it has to be confirmed by comparison key lists before
and after.
I'll try with
efibootmgr -v
when I have here another machine
This particular command lists boot entries (location of .efi file to
boot), not secure boot keys. I mentioned it because I had an issue
namely with boot entries. In your case they may be unaffected.
If firmware has the "EFI shell" option then you may try "bcfg boot dump
-v". Unsure if it is possible to redirect output to a file.
I'll try. Is there nothing inside Linux efi tools?
I don't know if Clonezilla has this package installed,
Then you may try any other live image. Perhaps some of Debian live,
grml, system rescue have necessary tools installed.
No, I want to see the condition without loading newer Linux versions.
Otherwise, I'd see the condition generated by that live.
Unless I find a "live as I like it" (meaning that doesn't alter secure
boot).
Clonezilla come in many flavours, the main line is based on Debian
(stable - testing) and the alternate one is based on Ubuntu (alternate
stable - alternate testign).
I'll try also with a non related distribution, as you suggest.
I mean an image from Fedora, not Clonezilla based on Fedora.
Yes, it was clear.
Reply to: