[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian live boot corrupting secure boot

Il 11/10/2023 04:13, Max Nikulin ha scritto:

On 11/10/2023 08:46, Valerio Vanni wrote:

Now I've tried Fedora live: it doesn't act like Debian. After it,
I can still boot old Clonezilla. Not only at grub page: I can also load live environment. 

If the Fedora image is fresh enough


Yes, it's version 38.
I add that I tried to make it resident (install on internal disk), and neither this way it changes anything. 

It satisfies Secure Boot requirements, but it doesn't blacklist anything.
So it doesn't seem true what whas said (don't remember by who) at the start of this thread, that if a system supports SB blacklists older images for sure. 

It seems a choice. A bad choice for a live environment.


then there are some patches either in Fedora or in Debian. Perhaps
the following one

https://sources.debian.org/src/shim/15.7-1/debian/patches/block-grub-sbat3-debian.patch/


> You may check changelog, closed debian bugs, messages in developer
mailing lists for the shim package (shim-signed and shim-unsigned) and may try to discuss the issue with shim maintainers. 

With Fedora Live I could see the difference, using
# mokutil --list-sbat-revocations.

When the system is in one of these states:
-new
-reflashed
-after old clonezilla (grub entries) load
-after Fedora live load or Fedora install

This list is
sbat,1,202103218
After load of grub page of a new Clonezilla (or live Debian) the list becomes: 

sbat,1,2022052400
grub,2
Reply to: