On Wed, Jul 03, 2024 at 06:31:39PM +0200, Roland Clobus wrote: >On 03/07/2024 18:21, Roland Clobus wrote: >> Thanks! That did the trick, it shows one offending entry, which causes >> this issue: grub,3 (see screenshot) > >Oops. Actually, it is shim which causes the issue, as the screenshot shows >that shim has version 3, and at least version 4 is required.
Sporry for not responding sooner - $life. :-( The new signed shim that's in unstable ramps up the minimum SBAT level, as you've seen. This is going to happen from time to time to ensure that older (and known insecure) versions of grub and shim will not load on a Secure Boot system. Unfortunately, the split between unstable and testing makes for this awkward problem here. Once the new shim-signed migrates into testing and things are in sync again, this *particular* issue will be solved. I'm working on the equivalent shim-signed packages for bookworm, bullseye and buster now. They will have the same minimun SBAT level, but will turn up in the archive in one piece. There are other alternative on your test systems: 1. disable secure boot while testing (which of course is *not* the right answer long-term!) 2. use mokutil --set-sbat-policy from a running system to go back to a previous SBAT minimum level, or delete the policy altogether 3. if you're testing in a qemu VM, you can also use "virt-fw-vars" from the "python3-virt-firmware" package to modify the SBAT (and other) firmware settings from outside the VM. This is *incredibly* useful when doing development and CI with shim. -- Steve McIntyre, Cambridge, UK. st...@einval.com < sladen> I actually stayed in a hotel and arrived to find a post-it note stuck to the mini-bar saying "Paul: This fridge and fittings are the correct way around and do not need altering"