Re: Debian live boot corrupting secure boot
valerio.vanni@inwind.it wrote:
>On Wed, 27 Sep 2023 09:54:31 +0700 Max Nikulin <manikulin@gmail.com> wrote:
>> I found the issue on latest versions of Clonezilla, but then I tried
>>
>> ^^^^^^
>>
>> with plain Debian live and the behavior is the same.
>>
>>
>> Does it mean that you can not boot your *old* Clonezilla live after booting a latest
>Clonezilla? If so, it is better to discuss the issue with shim or grub developers.
>
>Yes. If I load a Clonezilla live newer than 3.1.0-11, then I cannot boot
>anymore 2.8.1-12.
>
>>
>> 1) Machine brand new: secure boot is active, Windows 10 shows it active, I can boot an
>old Clonezilla live (2.8.1-12) as many times as I want.
>>
>> An old image may be signed by a key later added to certificate revocation lists. If so,
>secure boot just works as it is supposed to do.
>
>I didn't consider that... But it makes sense.
>
>> 2) I boot from USB drive Debian Live 12
>>
>https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/debian-live-12.1.0-amd64-kde.iso
>>
>>
>> If it can be reproduced with a contemporary Clonezilla or e.g. a Fedora image then it is not
>a Debian issue. If it is specific to namely Debian (I am unsure concerning Ubuntu, Debian
>derivatives) then it is better to file a bug providing more details.
>
>As I said, the image that is not loaded anymore is older Clonezilla.
>The image that alters secure boot is newer Clonezilla, and then I found
>that newer Debian does the same.
>I still haven't found an old version of Debian that cannot boot after
>newer one (but I only tried 10 live, so far).
The newer images might be causing firmware key revocation updates to
be applied. This is part of the Secure Boot story - if you want to
stay secure, systems will need to be updated to stop older software
with known holes from being run.
--
Steve McIntyre, Cambridge, UK. steve@einval.com
Can't keep my eyes from the circling sky,
Tongue-tied & twisted, Just an earth-bound misfit, I...
Reply to: