On 27/09/2023 03:28, Valerio Vanni wrote:
I found the issue on latest versions of Clonezilla, but then I tried
^^^^^^
with plain Debian live and the behavior is the same.
Does it mean that you can not boot your *old* Clonezilla live after
booting a latest Clonezilla? If so, it is better to discuss the issue
with shim or grub developers.
1) Machine brand new: secure boot is active, Windows 10 shows it active,
I can boot an old Clonezilla live (2.8.1-12) as many times as I want.
^^^
An old image may be signed by a key later added to certificate
revocation lists. If so, secure boot just works as it is supposed to do.
2) I boot from USB drive Debian Live 12
https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/debian-live-12.1.0-amd64-kde.iso
If it can be reproduced with a contemporary Clonezilla or e.g. a Fedora
image then it is not a Debian issue. If it is specific to namely Debian
(I am unsure concerning Ubuntu, Debian derivatives) then it is better to
file a bug providing more details.
A note: to trigger the issue, there's no need to go on and load OS. It's
enough to see the first page (that with grub entries) and then shutdown.
I have an old HP laptop with buggy firmware where fbx64.efi (from shim)
tries to fix NVRAM boot entries on each boot, so it is better to avoid
this file on this machine. It happens before grub, but I do not think it
is relevant to your issue.
4) I reflash BIOS, same version, and go to point 1.
How old is your BIOS? Maybe you just restore obsolete list signing of keys.
I suggest to compare
efibootmgr -v
output in the state when Clonezilla may be booted and when it fails. In
addition public keys and certificate revocation list should be compared
(unsure concerning commands).
My opinion is that just loading boot images without installing OS should
not modify firmware state. In this sense it may be a bug.
On the other hand, forgot old images if you have secure boot enabled. A
security vulnerability may result in requirement to sign all boot images
with new keys while older ones are added to revocation lists that is
updated with firmware update or by OS.
If you can confirm that Clonezilla signing key has not been revoked then
it is a subject for a bug report.