Il 29/09/2023 05:39, Max Nikulin ha scritto:
Yes, but couldn't it add news keys without blacklisting old ones?
It is beyond my knowledge of UEFI and secure boot: specs, requirements
from Microsoft, and state of affairs with bugs in implementations. That
is why I am suggesting to check for discussions related to shim & grub
and to ask people involved into their development.
I'll try. I don't feel confortable at the idea that a live environment
could do such a change. I think that a live should not modify the
system. Yes, *you* could do something when it's loaded, but an automatic
(and silent) modification at grub page seems very bad.
At least a warning "I'm going to blacklist something, do you want to
continue?".
It's like you call a technician to fix something in your house (wall
paintings, shower, taps etc), the technician thinks that main door is
not secure and (also without telling you) alter the door lock and you
cannot pass anymore. Or cannot use all your keys but only some.
The technician is live key.
And coming back from houses to IT, it's related because technician often
use live boots to diag and fix.
I see that Clonezilla and Partclone mantainers are working on the
matter. It's not simple, since the issue happens only on some hardware.
But let's say they'll fix in some month. I'll still be worried about
live linux environments.
Do you mean load new EFI files in old Clonezilla?
Yes, I do. My idea is to build custom image of old Clonezilla with EFI
files signed by you own keys. The downside is that you need to install
your keys to every box where you are going to boot your images.
Doesn't seem practical. I am the mantainer of that disk image: I keep it
updated, I keep it tested after updates and after modifications I get
from applications' mantainers.
Then I distribute the image to other technician to deploy new machine
(or reimage old ones).
I don't have all the machines in my hands. I install only some at the
customer by myself. Others go from reseller to other technicians and are
cloned by them with my image.
I should consider compatibility between me and them.
Consider also that these machines' life is with Windows 10. They are
booted with Clonezilla only before the first install and if the machine
has to be reimaged because OS is scrambled, disk is dead and replaced etc.
I understand the idea "if some key is blacklisted, it's good that this
blacklist is enrolled to machines".
But neither Asus (bios from start of September) nor Microsoft (Windows
11) do that blacklisting. If, say, I don't load Clonezilla at all,
neither old nor new one, there is no blacklist and the security level is
the same. Basically, I load new Clonezilla and get old one blacklisted.
Is that extra security level needed?
Windows works with or without secure boot, but I'd like to leave it on.
So far, no Windows update did such thing. I also tried update from
Windows 10 to Windows 11, and nothing happened.
Notice, it is still just a hypothesis that your issues are caused by new
keys and it has to be confirmed by comparison key lists before and after.
I'll try with
efibootmgr -v
when I have here another machine
I don't know if Clonezilla has this package installed, if not I'll try
to carry one or more *.debs on my USB key. It's not easy to install
thing in that environment, because it's not based on a stable version
but on Sid.
So when you read Clonezilla changelogs you don't read "Debian 10,11
etc", instead you find "based on Sid of a particular date".
It took many tries to carry partclone*.deb I had downloaded from deb-src
and then recompiled with modified source to test a flag. Many tries to
find right Debian version.
If latest installation, repair, etc. images from Microsoft do not cause
the issue then chances that shim+grub may behave in a similar way is
higher.
If booting grub built by Fedora or some other distribution unrelated to
Debian, does not cause the issue then it may be Debian specific bug. Am
I right that Clonezilla is based on Ubuntu, so may use same patches?
Clonezilla come in many flavours, the main line is based on Debian
(stable - testing) and the alternate one is based on Ubuntu (alternate
stable - alternate testign).
I'll try also with a non related distribution, as you suggest.
