valerio.va...@inwind.it wrote: >On Wed, 27 Sep 2023 09:54:31 +0700 Max Nikulin <maniku...@gmail.com> wrote: >> I found the issue on latest versions of Clonezilla, but then I tried >> >> ^^^^^^ >> >> with plain Debian live and the behavior is the same. >> >> >> Does it mean that you can not boot your *old* Clonezilla live after booting >> a latest >Clonezilla? If so, it is better to discuss the issue with shim or grub >developers. > >Yes. If I load a Clonezilla live newer than 3.1.0-11, then I cannot boot >anymore 2.8.1-12. > >> >> 1) Machine brand new: secure boot is active, Windows 10 shows it active, >> I can boot an >old Clonezilla live (2.8.1-12) as many times as I want. >> >> An old image may be signed by a key later added to certificate revocation >> lists. If so, >secure boot just works as it is supposed to do. > >I didn't consider that... But it makes sense. > >> 2) I boot from USB drive Debian Live 12 >> >https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/debian-live-12.1.0-amd64-kde.iso >> >> >> If it can be reproduced with a contemporary Clonezilla or e.g. a Fedora >> image then it is not >a Debian issue. If it is specific to namely Debian (I am unsure concerning >Ubuntu, Debian >derivatives) then it is better to file a bug providing more details. > >As I said, the image that is not loaded anymore is older Clonezilla. >The image that alters secure boot is newer Clonezilla, and then I found >that newer Debian does the same. >I still haven't found an old version of Debian that cannot boot after >newer one (but I only tried 10 live, so far).
The newer images might be causing firmware key revocation updates to be applied. This is part of the Secure Boot story - if you want to stay secure, systems will need to be updated to stop older software with known holes from being run. -- Steve McIntyre, Cambridge, UK. st...@einval.com Can't keep my eyes from the circling sky, Tongue-tied & twisted, Just an earth-bound misfit, I...