On Wed, Jul 03, 2024 at 06:31:39PM +0200, Roland Clobus wrote:
>On 03/07/2024 18:21, Roland Clobus wrote:
>> Thanks! That did the trick, it shows one offending entry, which causes
>> this issue: grub,3 (see screenshot)
>
>Oops. Actually, it is shim which causes the issue, as the screenshot shows
>that shim has version 3, and at least version 4 is required.
Sporry for not responding sooner - $life. :-(
The new signed shim that's in unstable ramps up the minimum SBAT
level, as you've seen. This is going to happen from time to time to
ensure that older (and known insecure) versions of grub and shim will
not load on a Secure Boot system. Unfortunately, the split between
unstable and testing makes for this awkward problem here. Once the new
shim-signed migrates into testing and things are in sync again, this
*particular* issue will be solved. I'm working on the equivalent
shim-signed packages for bookworm, bullseye and buster now. They will
have the same minimun SBAT level, but will turn up in the archive in
one piece.
There are other alternative on your test systems:
1. disable secure boot while testing (which of course is *not* the
right answer long-term!)
2. use mokutil --set-sbat-policy from a running system to go back to
a previous SBAT minimum level, or delete the policy altogether
3. if you're testing in a qemu VM, you can also use "virt-fw-vars"
from the "python3-virt-firmware" package to modify the SBAT (and
other) firmware settings from outside the VM. This is *incredibly*
useful when doing development and CI with shim.
--
Steve McIntyre, Cambridge, UK. st...@einval.com
< sladen> I actually stayed in a hotel and arrived to find a post-it
note stuck to the mini-bar saying "Paul: This fridge and
fittings are the correct way around and do not need altering"
