On 03/10/2023 01:34, Valerio Vanni wrote:
Il 02/10/2023 18:45, Max Nikulin ha scritto:
But neither Asus (bios from start of September) nor Microsoft
(Windows 11) do that blacklisting.
Do you mean Windows install on hard drive or Windows install image?
should be "installed"---------^
Machine comes with Windows 10 pre installed, and then it's updated from
Windows update. Then I installed Windows 11 with upgrade assistant.
So far, no blacklist of old Clonezilla.
Do you mean that installing Windows 10 or 11 from scratch could behave
differently?
I am curious if just booting a recent media published by Microsoft (not
install, just booting till first dialog) may change secure boot keys. If
I have got you right, Windows with all updates installed still allows to
boot old Clonezilla.
I just have spotted in the news
https://security-tracker.debian.org/tracker/CVE-2023-4692
"Crafted file system images can cause heap-based buffer overflow and may
allow arbitrary code execution and secure boot bypass"
and a related link
https://github.com/rhboot/shim/blob/main/SBAT.md
Secure Boot Advanced Targeting
If firmware has the "EFI shell" option then you may try "bcfg boot
dump -v". Unsure if it is possible to redirect output to a file.
I'll try. Is there nothing inside Linux efi tools?
Sorry, your question is unclear for me. I was trying to suggest a way to
inspect UEFI boot variables without disturbing its state. If Linux
images may do something with secure boot keys then I see the following
alternatives:
- Firmware may have EFI shell boot option included
- Perhaps there are some tools for Windows
