Re: Debian live boot corrupting secure boot

To: Valerio Vanni <valerio.vanni@inwind.it>
Cc: "debian-user@lists.debian.org" <debian-user@lists.debian.org>
Subject: Re: Debian live boot corrupting secure boot
From: Jeffrey Walton <noloader@gmail.com>
Date: Mon, 2 Oct 2023 22:01:24 -0400
Message-id: <[🔎] CAH8yC8k_Vv1kukRmm35pRytNag89-xoRrag6XN92F1oTUJsvOQ@mail.gmail.com>
Reply-to: noloader@gmail.com
In-reply-to: <7ae712ef-3dbe-77e1-59ca-4fdc3f9837ac@inwind.it>
References: <7ae712ef-3dbe-77e1-59ca-4fdc3f9837ac@inwind.it>

On Thu, Sep 28, 2023 at 12:10 AM Valerio Vanni <valerio.vanni@inwind.it> wrote:
>
> On Wed, 27 Sep 2023 09:54:31 +0700 Max Nikulin <manikulin@gmail.com> wrote:
> >     I found the issue on latest versions of Clonezilla, but then I tried
> >
> >                        ^^^^^^
> >     with plain Debian live and the behavior is the same.
> >
> > Does it mean that you can not boot your *old* Clonezilla live after booting a latest Clonezilla? If so, it is better to discuss the issue with shim or grub developers.
>
> Yes. If I load a Clonezilla live newer than 3.1.0-11, then I cannot boot
> anymore 2.8.1-12.

I would probably bet if you booted to Windows, the OS would check the
Forbidden Signature/Secure Boot DBX and (re)apply KB5012170 [0] as
required.

So you are probably going to have to deal with this sooner rather than
later. Both OSes are going to try to update the database with
signatures of the bad grub programs. Or I would not bet against it.

Jeff

[0] https://support.microsoft.com/en-gb/topic/kb5012170-security-update-for-secure-boot-dbx-72ff5eed-25b4-47c7-be28-c42bd211bb15

Reply to:

Follow-Ups:
- Re: Debian live boot corrupting secure boot
  - From: Valerio Vanni <valerio.vanni@inwind.it>

Prev by Date: Same Debian, different hardware = different OpenGL version?
Next by Date: Re: swap-fle on arm64, need to disable, how?
Previous by thread: Re: Debian live boot corrupting secure boot
Next by thread: Re: Debian live boot corrupting secure boot
Index(es):
- Date
- Thread