Re: Debian live boot corrupting secure boot
On Tue, Sep 26, 2023 at 10:20 PM Valerio Vanni <valerio.vanni@inwind.it> wrote:
>
> Motherboard is an Asus H510M-A.
>
> I found the issue on latest versions of Clonezilla, but then I tried
> with plain Debian live and the behavior is the same.
>
> Booting a recent Debian USB key do some modification on secure boot that
> prevents some older OS to boot.
>
> The cycle is:
>
> 1) Machine brand new: secure boot is active, Windows 10 shows it active,
> I can boot an old Clonezilla live (2.8.1-12) as many times as I want.
>
> 2) I boot from USB drive Debian Live 12
> https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/debian-live-12.1.0-amd64-kde.iso
>
> A note: to trigger the issue, there's no need to go on and load OS. It's
> enough to see the first page (that with grub entries) and then shutdown.
>
> 3) At next boots, secure boot refuses to boot from Clonezilla live
> 2.8.1-12. The error is
> "verification failed 0x1A security violation"
> Windows 10 can still start, and shows secure boot active. Only if I
> disable secure boot from BIOS, I can start clonezilla.
>
> 4) I reflash BIOS, same version, and go to point 1.
>
> Tested many times.
The failure at (3) sounds like what happened when old grub images were
blacklisted in the UEFI Revocation List dbx. Also see
<https://lwn.net/Articles/827403/>.
You should probably stop doing (4).
Jeff
Reply to: