Answering the specific question here... On Wed, Jul 03, 2024 at 06:21:27PM +0200, Roland Clobus wrote: > >To reproduce: >* Use the stock OVMF_VARS_4M.ms.fd >* Boot with the live 12.6.0 bookworm image (I used 'standard') [1] or the >netinst image [2] >* mokutil --list-sbat-revocations shows: >sbat,1,2022052400 >grub,2 >* Boot with a freshly built live sid image [3] >* mokutil --list-sbat-revocations shows: >sbat,1,2024010900 >shim,4 >grub,3 >grub.debian,4 >* Boot with the bookworm image again -> the SBAT error message is shown. > >This would mean that any machine that got an SBAT revocation would not be >able to boot the official Debian Bookworm images any more. > >Does this mean that it would be necessary to release a set of 12.6.1 images? >(i.e. live, netinst, etc.)
I was hoping to get the new shim-signed packages prepped for the 12.6 and 11.10 builds, but unfortunately the signing process at Microsoft took too long. I'm planning on adding them shortly so we'll get them for 12.7 and 11.11 (and buster-security). In the meantime, you'll need to manage firmware variables if you're switching between sid and bookworm images. -- Steve McIntyre, Cambridge, UK. st...@einval.com "Since phone messaging became popular, the young generation has lost the ability to read or write anything that is longer than one hundred and sixty characters." -- Ignatios Souvatzis
