On 28/09/2023 16:45, Valerio Vanni wrote:
On Thu, 28 Sep 2023 10:08:27 +0700 Max Nikulin wrote:
After a vulnerability found in shim or grub (that allows to boot
malicious code having no proper signature) old keys used by Linux
distributions are revoked, new ones are generated. New images signed
by new keys are published.
Yes, but couldn't it add news keys without blacklisting old ones?
It is beyond my knowledge of UEFI and secure boot: specs, requirements
from Microsoft, and state of affairs with bugs in implementations. That
is why I am suggesting to check for discussions related to shim & grub
and to ask people involved into their development.
I have never tried it, but perhaps you may enroll your own keys and
rebuild old images to put EFI files signed by you. See "master owner
keys".
Do you mean load new EFI files in old Clonezilla?
Yes, I do. My idea is to build custom image of old Clonezilla with EFI
files signed by you own keys. The downside is that you need to install
your keys to every box where you are going to boot your images.
By the way, perhaps tools for management of secure boot keys allow to
replace entries causing issues in your case without full reflash of
BIOS. I have heard that some people wipes Microsoft keys completely to
have full control what images can be booted on their machines.
With outdated keys secure boot does not protect you. Is it Windows
that prevents you from just turning secure boot off? I would not be
surprised if during some update of Windows, certificate revocation
list will be updated as well, so you would not be able to boot your
old Clonezilla any more.
Windows works with or without secure boot, but I'd like to leave it on.
So far, no Windows update did such thing. I also tried update from
Windows 10 to Windows 11, and nothing happened.
Notice, it is still just a hypothesis that your issues are caused by new
keys and it has to be confirmed by comparison key lists before and after.
If latest installation, repair, etc. images from Microsoft do not cause
the issue then chances that shim+grub may behave in a similar way is higher.
If booting grub built by Fedora or some other distribution unrelated to
Debian, does not cause the issue then it may be Debian specific bug. Am
I right that Clonezilla is based on Ubuntu, so may use same patches?
I do not know what is your threat model, so I am unsure why you consider
that secure book with revoked keys still provides enough degree of
protection. My impression is that not so much efforts are required to
inspect latest CVEs and to trick some signed EFI file to force booting
of a malicious EFI file. It is a reason why I suggest to disable secure
boot.
