On Wed, Jul 03, 2024 at 09:29:11PM +0100, Steve McIntyre wrote: > >There are other alternative on your test systems: > > 1. disable secure boot while testing (which of course is *not* the > right answer long-term!) > > 2. use mokutil --set-sbat-policy from a running system to go back to > a previous SBAT minimum level, or delete the policy altogether > > 3. if you're testing in a qemu VM, you can also use "virt-fw-vars" > from the "python3-virt-firmware" package to modify the SBAT (and > other) firmware settings from outside the VM. This is *incredibly* > useful when doing development and CI with shim.
In fact, having tested lots more combinations of things today (covering all of buster, bullseye, bookworm and unstable), I can say that #2 above will likely *not* work, in fact. Once we roll out the updated signed shims for all of the older releases, that will break secure booting with existing installation and live media. This is not great, I'll admit. The updates in older stable releases might cause problems when they happen, but they'll all hit the archive on the next point release weekend. At the same point we'll have new media that will boot in SB with the new settings, so I think this is fine. The thornier problem is the shim-signed that's in unstable right now. It hasn't migrated to testing yet (and won't without an unblock AFAICS), so there is a comparatively limited set of machines with it installed. I'm *tempted* to revert shim-signed and go back to using the previous 15.7 shim *for now* there. Then move forward to 15.8 again just before the point release. How does that sound? Feedback welcome... -- Steve McIntyre, Cambridge, UK. st...@einval.com Armed with "Valor": "Centurion" represents quality of Discipline, Honor, Integrity and Loyalty. Now you don't have to be a Caesar to concord the digital world while feeling safe and proud.