On 28/09/2023 05:35, Valerio Vanni wrote:
On Wed, 27 Sep 2023 09:54:31 +0700 Max Nikulin wrote:
My opinion is that just loading boot images without installing OS
should not modify firmware state. In this sense it may be a bug.
Not only I didn't install any OS, I didn't boot any image. It's enough
to reach first page (grub entries) and the damage is done.
Thinking more, I have realized that updating secure boot keys in
firmware may be the only way for grub to boot. You may try to search for
docs and discussions to confirm such guess.
After a vulnerability found in shim or grub (that allows to boot
malicious code having no proper signature) old keys used by Linux
distributions are revoked, new ones are generated. New images signed by
new keys are published.
Consider booting of a new image on a box having outdated set of keys
(old BIOS). The machine is unaware of new keys, so unless keys are
updated, it prohibits booting of new images as insecure ones. With up to
day keys, certificate revocation list is loaded as well making booting
of older (and thus vulnerable) images impossible. That is why just
loading of an .EFI file may prevent further booting of old images.
Perhaps loading of updated key chain might be made transient affecting
current boot only. I have no idea what are the obstacles: it is not
allowed by secure boot policy, it is not supported by firmware, it is
unreliable due to bugs in firmware, or it is just not implemented in
shim or grub.
On the other hand, forgot old images if you have secure boot enabled.
Or forget the new ones ;-)
I have never tried it, but perhaps you may enroll your own keys and
rebuild old images to put EFI files signed by you. See "master owner keys".
With outdated keys secure boot does not protect you. Is it Windows that
prevents you from just turning secure boot off? I would not be surprised
if during some update of Windows, certificate revocation list will be
updated as well, so you would not be able to boot your old Clonezilla
any more.
Why you avoiding up to date Clonezilla? Does it have backward
compatibility issues making old backup useless?