Re: Debian live boot corrupting secure boot

With Fedora Live I could see the difference, using # mokutil --list-sbat-revocations. When the system is in one of these states: -new -reflashed -after old clonezilla (grub entries) load -after Fedora live load or Fedora install This list is sbat,1,202103218 After load of grub page of a new

Re: Debian live boot corrupting secure boot

Il 11/10/2023 04:13, Max Nikulin ha scritto: On 11/10/2023 08:46, Valerio Vanni wrote: Now I've tried Fedora live: it doesn't act like Debian. After it, I can still boot old Clonezilla. Not only at grub page: I can also load live environment. If the Fedora image is fresh enough Yes, it's

Re: Debian live boot corrupting secure boot

On 11/10/2023 08:46, Valerio Vanni wrote: Now I've tried Fedora live: it doesn't act like Debian. After it, I can still boot old Clonezilla. Not only at grub page: I can also load live environment. If the Fedora image is fresh enough then there are some patches either in Fedora or in Debian.

Re: Debian live boot corrupting secure boot

Il 04/10/2023 17:11, Max Nikulin ha scritto: from Windows update. Then I installed Windows 11 with upgrade assistant. So far, no blacklist of old Clonezilla. Do you mean that installing Windows 10 or 11 from scratch could behave differently? I am curious if just booting a recent media

Re: Debian live boot corrupting secure boot

On 05/10/2023 04:06, Valerio Vanni wrote: I don't know if there is an EFI shell. I am not sure, but some motherboards may have it preinstalled. Check files on EFI system partition. It may be available in boot menu invoked by some F* key (not grub menu), it may be necessary to enable it in

Re: Debian live boot corrupting secure boot

Il 04/10/2023 17:11, Max Nikulin ha scritto: But neither Asus (bios from start of September) nor Microsoft (Windows 11) do that blacklisting. Do you mean Windows install on hard drive or Windows install image? should be "installed"-^ Ok, "installed". I am curious if just booting a

Re: Debian live boot corrupting secure boot

On Tue, Oct 3, 2023 at 11:44 AM Valerio Vanni wrote: > > Il 03/10/2023 04:01, Jeffrey Walton ha scritto: > > >>> Does it mean that you can not boot your *old* Clonezilla live after > >>> booting a latest Clonezilla? If so, it is better to discuss the issue > >>> with shim or grub developers. >

Re: Debian live boot corrupting secure boot

On 03/10/2023 01:34, Valerio Vanni wrote: Il 02/10/2023 18:45, Max Nikulin ha scritto: But neither Asus (bios from start of September) nor Microsoft (Windows 11) do that blacklisting. Do you mean Windows install on hard drive or Windows install image? should be "installed"-^

Re: Debian live boot corrupting secure boot

Il 03/10/2023 04:01, Jeffrey Walton ha scritto: Does it mean that you can not boot your *old* Clonezilla live after booting a latest Clonezilla? If so, it is better to discuss the issue with shim or grub developers. Yes. If I load a Clonezilla live newer than 3.1.0-11, then I cannot boot

Re: Debian live boot corrupting secure boot

On Thu, Sep 28, 2023 at 12:10 AM Valerio Vanni wrote: > > On Wed, 27 Sep 2023 09:54:31 +0700 Max Nikulin wrote: > > I found the issue on latest versions of Clonezilla, but then I tried > > > >^^ > > with plain Debian live and the behavior is the same. > > > >

Re: Debian live boot corrupting secure boot

Il 02/10/2023 18:45, Max Nikulin ha scritto: At least a warning "I'm going to blacklist something, do you want to continue?". It is just speculation. To show a warning you need to execute some code. Yes, but I would trust a code that asks before doing some potentially disruptive change. I

Re: Debian live boot corrupting secure boot

On 30/09/2023 20:53, Valerio Vanni wrote: Il 29/09/2023 05:39, Max Nikulin ha scritto: That is why I am suggesting to check for discussions related to shim & grub and to ask people involved into their development. I'll try. I don't feel confortable at the idea that a live environment could

Re: Debian live boot corrupting secure boot

Il 29/09/2023 05:39, Max Nikulin ha scritto: Yes, but couldn't it add news keys without blacklisting old ones? It is beyond my knowledge of UEFI and secure boot: specs, requirements from Microsoft, and state of affairs with bugs in implementations. That is why I am suggesting to check for

Re: Debian live boot corrupting secure boot

valerio.va...@inwind.it wrote: >On Wed, 27 Sep 2023 09:54:31 +0700 Max Nikulin wrote: >> I found the issue on latest versions of Clonezilla, but then I tried >> >>^^ >> >> with plain Debian live and the behavior is the same. >> >> >> Does it mean that you

Re: Debian live boot corrupting secure boot

Stefan wrote: >> With outdated keys secure boot does not protect you. > >Just to clarify: in 99.99% of the cases, SecureBoot does not protect you >(and is not designed to protect you either). Sigh. Lose the misinformation crap, please. It's getting tedious. -- Steve McIntyre, Cambridge, UK.

Re: Debian live boot corrupting secure boot

On 28/09/2023 16:45, Valerio Vanni wrote: On Thu, 28 Sep 2023 10:08:27 +0700 Max Nikulin wrote: After a vulnerability found in shim or grub (that allows to boot malicious code having no proper signature) old keys used by Linux distributions are revoked, new ones are generated. New images

Re: Debian live boot corrupting secure boot

> With outdated keys secure boot does not protect you. Just to clarify: in 99.99% of the cases, SecureBoot does not protect you (and is not designed to protect you either). Stefan

Re: Debian live boot corrupting secure boot

On 2023-09-28 at 05:16, Valerio Vanni wrote: > On Wed, 27 Sep 2023 22:14:57 -0400 The Wanderer > wrote: >>> But this way I would have to disable secure boot to load old Clonezilla. >>> Disable secure boot, launch clonezilla, restore image, reenable secure >>> boot, start OS. >> >> Well, why

Re: Debian live boot corrupting secure boot

On Thu, 28 Sep 2023 10:08:27 +0700 Max Nikulin wrote: Thinking more, I have realized that updating secure boot keys in firmware may be the only way for grub to boot. You may try to search for docs and discussions to confirm such guess. After a vulnerability found in shim or grub (that

Re: Debian live boot corrupting secure boot

On Wed, 27 Sep 2023 22:14:57 -0400 The Wanderer wrote: The failure at (3) sounds like what happened when old grub images were blacklisted in the UEFI Revocation List dbx. Also see . You should probably stop doing (4). But this way I would have to disable

Re: Debian live boot corrupting secure boot

On 28/09/2023 05:35, Valerio Vanni wrote: On Wed, 27 Sep 2023 09:54:31 +0700 Max Nikulin wrote: My opinion is that just loading boot images without installing OS should not modify firmware state. In this sense it may be a bug. Not only I didn't install any OS, I didn't boot any image. It's

Re: Debian live boot corrupting secure boot

On 2023-09-27 at 18:04, Valerio Vanni wrote: > Il 27/09/2023 05:22, Jeffrey Walton ha scritto: > >> On Tue, Sep 26, 2023 at 10:20 PM Valerio Vanni >> wrote: >>> 3) At next boots, secure boot refuses to boot from Clonezilla >>> live 2.8.1-12. The error is >>> "verification failed 0x1A security

Re: Debian live boot corrupting secure boot

On Wed, 27 Sep 2023 09:54:31 +0700 Max Nikulin wrote: I found the issue on latest versions of Clonezilla, but then I tried ^^ with plain Debian live and the behavior is the same. Does it mean that you can not boot your *old* Clonezilla live after booting

Re: Debian live boot corrupting secure boot

Il 27/09/2023 05:22, Jeffrey Walton ha scritto: On Tue, Sep 26, 2023 at 10:20 PM Valerio Vanni wrote: Motherboard is an Asus H510M-A. I found the issue on latest versions of Clonezilla, but then I tried with plain Debian live and the behavior is the same. Booting a recent Debian USB key do

Re: Debian live boot corrupting secure boot

On Tue, Sep 26, 2023 at 10:20 PM Valerio Vanni wrote: > > Motherboard is an Asus H510M-A. > > I found the issue on latest versions of Clonezilla, but then I tried > with plain Debian live and the behavior is the same. > > Booting a recent Debian USB key do some modification on secure boot that >

Re: Debian live boot corrupting secure boot

On 27/09/2023 03:28, Valerio Vanni wrote: I found the issue on latest versions of Clonezilla, but then I tried ^^ with plain Debian live and the behavior is the same. Does it mean that you can not boot your *old* Clonezilla live after booting a latest