Re: Debian live boot corrupting secure boot

To: debian-user@lists.debian.org
Subject: Re: Debian live boot corrupting secure boot
From: Max Nikulin <manikulin@gmail.com>
Date: Wed, 27 Sep 2023 09:54:31 +0700
Message-id: <[🔎] uf05ha$qq9$1@ciao.gmane.io>
In-reply-to: <[🔎] 381e97a3-bd5d-2486-5bf6-09ea29164ad6@inwind.it>
References: <[🔎] 381e97a3-bd5d-2486-5bf6-09ea29164ad6@inwind.it>

On 27/09/2023 03:28, Valerio Vanni wrote:

I found the issue on latest versions of Clonezilla, but then I tried

                       ^^^^^^

with plain Debian live and the behavior is the same.

Does it mean that you can not boot your *old* Clonezilla live afterbooting a latest Clonezilla? If so, it is better to discuss the issuewith shim or grub developers.

1) Machine brand new: secure boot is active, Windows 10 shows it active,I can boot an old Clonezilla live (2.8.1-12) as many times as I want.

^^^

An old image may be signed by a key later added to certificaterevocation lists. If so, secure boot just works as it is supposed to do.

2) I boot from USB drive Debian Live 12
https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/debian-live-12.1.0-amd64-kde.iso

If it can be reproduced with a contemporary Clonezilla or e.g. a Fedoraimage then it is not a Debian issue. If it is specific to namely Debian(I am unsure concerning Ubuntu, Debian derivatives) then it is better tofile a bug providing more details.

A note: to trigger the issue, there's no need to go on and load OS. It'senough to see the first page (that with grub entries) and then shutdown.

I have an old HP laptop with buggy firmware where fbx64.efi (from shim)tries to fix NVRAM boot entries on each boot, so it is better to avoidthis file on this machine. It happens before grub, but I do not think itis relevant to your issue.

4) I reflash BIOS, same version, and go to point 1.


How old is your BIOS? Maybe you just restore obsolete list signing of keys.

I suggest to compare

    efibootmgr -v

output in the state when Clonezilla may be booted and when it fails. Inaddition public keys and certificate revocation list should be compared(unsure concerning commands).

My opinion is that just loading boot images without installing OS shouldnot modify firmware state. In this sense it may be a bug.

On the other hand, forgot old images if you have secure boot enabled. Asecurity vulnerability may result in requirement to sign all boot imageswith new keys while older ones are added to revocation lists that isupdated with firmware update or by OS.

If you can confirm that Clonezilla signing key has not been revoked thenit is a subject for a bug report.

Reply to:

References:
- Debian live boot corrupting secure boot
  - From: Valerio Vanni <valerio.vanni@inwind.it>

Prev by Date: Re: PATH revisited: one PATH to "rule the [Debian] World"
Next by Date: Re: Debian live boot corrupting secure boot
Previous by thread: Debian live boot corrupting secure boot
Next by thread: Re: Debian live boot corrupting secure boot
Index(es):
- Date
- Thread