Hello list, On 03/07/2024 08:38, Pascal Hambourg wrote:
On 03/07/2024 at 08:13, Roland Clobus wrote:Who can find out which part in this file is causing the issue? Or which tools do I need to use to debug this?Maybe increase shim verbosity with # mokutil --set-verbosity true
Thanks! That did the trick, it shows one offending entry, which causes this issue: grub,3 (see screenshot)
Whenever the virtual machine was booted in secure UEFI boot with a newer version, that would revoke the version for GRUB.
To reproduce: * Use the stock OVMF_VARS_4M.ms.fd* Boot with the live 12.6.0 bookworm image (I used 'standard') [1] or the netinst image [2]
* mokutil --list-sbat-revocations shows: sbat,1,2022052400 grub,2 * Boot with a freshly built live sid image [3] * mokutil --list-sbat-revocations shows: sbat,1,2024010900 shim,4 grub,3 grub.debian,4 * Boot with the bookworm image again -> the SBAT error message is shown.This would mean that any machine that got an SBAT revocation would not be able to boot the official Debian Bookworm images any more.
Does this mean that it would be necessary to release a set of 12.6.1 images? (i.e. live, netinst, etc.)
Further reading regarding SBAT: [4] With kind regards, Roland Clobus --- [1] https://get.debian.org/images/release/current-live/amd64/iso-hybrid/[2] https://get.debian.org/images/release/current/amd64/iso-cd/debian-12.6.0-amd64-netinst.iso [3] e.g. from openQA: https://openqa.debian.net/tests/278991/asset/iso/smallest-build_sid_20240703T081003Z.iso
[3] https://github.com/rhboot/shim/blob/main/SBAT.md
OpenPGP_signature.asc
Description: OpenPGP digital signature
