[ Please respond to the list too, so other people can see and take part in the conversation too. You're unfortunately using gmail, which makes it much harder to use mailing lists sensibly. :-( ]
On Sun, Jul 07, 2024 at 12:47:28PM +0200, Andre Gompel wrote: >"That image is definitely built with UEFI SB stuff included, I've just >double-checked. What error(s) are you seeing?" > > thanks for the quick reply. >The answer is the typical message "Verifying SBAT shim failed, etc...." >Let me add that with the very same hardware, and software (sha256sum >validation, and very reliable Fedora media writer), everything works fine with >two other distros Fedora, and the latest Open Suse Leap, both shim-EFI signed. >I also can normally use the very same USB thumb drive, on my other system with >Secureboot disabled. >So there is definitely no doubt that there is something wrong with the way the >ISO is EFI-shim signed. (debugging this is not so easy!) No, I know 100% there is no problem with the image at all. Secure Boot is not a static thing where boot files are signed once and work forever. To keep up to date and secure, SB binaries are revoked from time to time to disable loading of older software with known security holes. These revocations are stored in the EFI variable space on each machine supporting Secure Boot, and will persist there. This can cause boot media to stop working, with symptoms very like what you have seen here. What exact OSes have you booted on this hardware in the last 6 months or so? It's likely that one of those has revoked older versions of shim. We have a newer version of the shim-signed package coming soon, most likely in the 12.7 point reelease. > I am not exactly a distro hopper, I just need Debian (I used in the past) >because of some SW with Debian packages and support only (the Google Flutter >Framework) > I also have used Linux since the time of LILO etc.... >---- >I reiterate here, I cannot disable the Secure Boot (I don't have the BIOS >password). Then that is going to be a real problem for you, I'm afraid. If you can't access the BIOS config, you are not in control fof your system. :-( -- Steve McIntyre, Cambridge, UK. st...@einval.com "I suspect most samba developers are already technically insane... Of course, since many of them are Australians, you can't tell." -- Linus Torvalds
