On Thu, 28 Sep 2023 10:08:27 +0700 Max Nikulin wrote:
Thinking more, I have realized that updating secure boot keys in firmware may
be the only way for grub to boot. You may try to search for docs and
discussions to confirm such guess.
After a vulnerability found in shim or grub (that allows to boot malicious code
having no proper signature) old keys used by Linux distributions are revoked,
new ones are generated. New images signed by new keys are published.
Yes, but couldn't it add news keys without blacklisting old ones?
Remember we are talking about a live environment, not an installed one.
This is breaking something I was sure about.
I always considered loading a live environment a safe action. I've
always expected to find the machine as it was before, now I cannot
expect it anymore.
Furthermore, here we are talking about a new live that prevented another
live from booting. But it could happen that I load a live and break
loading of resident OS. Bad result.
Perhaps loading of updated key chain might be made transient affecting current
boot only. I have no idea what are the obstacles: it is not allowed by secure
boot policy, it is not supported by firmware, it is unreliable due to bugs in
firmware, or it is just not implemented in shim or grub.
It would be a better choice.
Or forget the new ones ;-)
I have never tried it, but perhaps you may enroll your own keys and rebuild old images to
put EFI files signed by you. See "master owner keys".
Do you mean load new EFI files in old Clonezilla?
With outdated keys secure boot does not protect you. Is it Windows that
prevents you from just turning secure boot off? I would not be surprised if
during some update of Windows, certificate revocation list will be updated as
well, so you would not be able to boot your old Clonezilla any more.
Windows works with or without secure boot, but I'd like to leave it on.
So far, no Windows update did such thing. I also tried update from
Windows 10 to Windows 11, and nothing happened.
Neither latest BIOS update from Asus (released at start of this month)
prevented anything to boot. Perhaps hardware manufacturers choose not to
blacklist anything, and only new grubs blacklist old ones?
