Re: Debian live boot corrupting secure boot
On Tue, Oct 3, 2023 at 11:44 AM Valerio Vanni <valerio.vanni@inwind.it> wrote:
>
> Il 03/10/2023 04:01, Jeffrey Walton ha scritto:
>
> >>> Does it mean that you can not boot your *old* Clonezilla live after booting a latest Clonezilla? If so, it is better to discuss the issue with shim or grub developers.
> >>
> >> Yes. If I load a Clonezilla live newer than 3.1.0-11, then I cannot boot
> >> anymore 2.8.1-12.
> >
> > I would probably bet if you booted to Windows, the OS would check the
> > Forbidden Signature/Secure Boot DBX and (re)apply KB5012170 [0] as
> > required.
>
> No, it hasn't happened. If you read the entire discussion, it hasn't
> happened neither with Windows 10 nor Windows 11.
> The only action that breaks secure boot of Clonezilla 2.8.1-12 is
> reaching the page of Grub entries in recent Clonezilla and Debian live.
>
> > So you are probably going to have to deal with this sooner rather than
> > later. Both OSes are going to try to update the database with
> > signatures of the bad grub programs. Or I would not bet against it.
> >
> > [0] https://support.microsoft.com/en-gb/topic/kb5012170-security-update-for-secure-boot-dbx-72ff5eed-25b4-47c7-be28-c42bd211bb15
>
> Yes, no one can tell... but this update has more than six months.
> So far it seems that Linux has a larger revocation database.
>
> And, even if Windows would adopt this larger database, I keep on
> considering it bad in a live environment. Be it Live Windows or Live Linux.
Did you see new grub vulnerabilities were just announced? [1] I would
not be surprised if both Linux and Windows updated the Forbidden
Signature/Secure Boot DBX.
You're going to have to deal with it eventually. Restoring UEFI
firmware to run an old Clonezilla is not a long term solution.
[1] https://www.openwall.com/lists/oss-security/2023/10/04/5
Jeff
Reply to: