Re: Debian live boot corrupting secure boot
- To: debian-user@lists.debian.org
- Subject: Re: Debian live boot corrupting secure boot
- From: Max Nikulin <manikulin@gmail.com>
- Date: Mon, 2 Oct 2023 23:45:26 +0700
- Message-id: <[🔎] ufes3a$155r$1@ciao.gmane.io>
- In-reply-to: <263313a7-800a-27af-5d09-5750699acab3@inwind.it>
- References: <5330aa13-38b5-510d-8814-dfda5e84ed72@inwind.it> <uf5guf$osh$1@ciao.gmane.io> <263313a7-800a-27af-5d09-5750699acab3@inwind.it>
On 30/09/2023 20:53, Valerio Vanni wrote:
Il 29/09/2023 05:39, Max Nikulin ha scritto:
That is why I am suggesting to check for discussions related to shim &
grub and to ask people involved into their development.
I'll try. I don't feel confortable at the idea that a live environment
could do such a change.
In general I agree with you, but some restrictions may exist.
At least a warning "I'm going to blacklist something, do you want to
continue?".
It is just speculation. To show a warning you need to execute some code.
However .efi file is considered unsafe due to unknown signature. I have
no idea concerning origin of code that injects newer keys. It should be
some special case for secure boot.
Yes, I do. My idea is to build custom image of old Clonezilla with EFI
files signed by you own keys. The downside is that you need to
install your keys to every box where you are going to boot your images.
Doesn't seem practical. I am the mantainer of that disk image: I keep it
updated, I keep it tested after updates and after modifications I get
from applications' mantainers.
You may ask Clonezilla developers to make an image with old version and
new grub-signed and shim-signed. I think, you even could do it yourself.
Take an old image, put EFI, grub directories and kernel files from a new
image. Perhaps adjust some config files if they include Clonezilla
version. This way allows to avoid dealing with custom secure boot keys.
But neither Asus (bios from start of September) nor Microsoft (Windows
11) do that blacklisting.
Do you mean Windows install on hard drive or Windows install image?
Notice, it is still just a hypothesis that your issues are caused by
new keys and it has to be confirmed by comparison key lists before and
after.
I'll try with
efibootmgr -v
when I have here another machine
This particular command lists boot entries (location of .efi file to
boot), not secure boot keys. I mentioned it because I had an issue
namely with boot entries. In your case they may be unaffected.
If firmware has the "EFI shell" option then you may try "bcfg boot dump
-v". Unsure if it is possible to redirect output to a file.
I don't know if Clonezilla has this package installed,
Then you may try any other live image. Perhaps some of Debian live,
grml, system rescue have necessary tools installed.
Clonezilla come in many flavours, the main line is based on Debian
(stable - testing) and the alternate one is based on Ubuntu (alternate
stable - alternate testign).
I'll try also with a non related distribution, as you suggest.
I mean an image from Fedora, not Clonezilla based on Fedora.
Reply to: