On 28/09/2023 05:35, Valerio Vanni wrote:
On Wed, 27 Sep 2023 09:54:31 +0700 Max Nikulin wrote:My opinion is that just loading boot images without installing OS should not modify firmware state. In this sense it may be a bug.Not only I didn't install any OS, I didn't boot any image. It's enough to reach first page (grub entries) and the damage is done.
Thinking more, I have realized that updating secure boot keys in firmware may be the only way for grub to boot. You may try to search for docs and discussions to confirm such guess.
After a vulnerability found in shim or grub (that allows to boot malicious code having no proper signature) old keys used by Linux distributions are revoked, new ones are generated. New images signed by new keys are published.
Consider booting of a new image on a box having outdated set of keys (old BIOS). The machine is unaware of new keys, so unless keys are updated, it prohibits booting of new images as insecure ones. With up to day keys, certificate revocation list is loaded as well making booting of older (and thus vulnerable) images impossible. That is why just loading of an .EFI file may prevent further booting of old images.
Perhaps loading of updated key chain might be made transient affecting current boot only. I have no idea what are the obstacles: it is not allowed by secure boot policy, it is not supported by firmware, it is unreliable due to bugs in firmware, or it is just not implemented in shim or grub.
On the other hand, forgot old images if you have secure boot enabled.Or forget the new ones ;-)
I have never tried it, but perhaps you may enroll your own keys and rebuild old images to put EFI files signed by you. See "master owner keys".
With outdated keys secure boot does not protect you. Is it Windows that prevents you from just turning secure boot off? I would not be surprised if during some update of Windows, certificate revocation list will be updated as well, so you would not be able to boot your old Clonezilla any more.
Why you avoiding up to date Clonezilla? Does it have backward compatibility issues making old backup useless?