On Tue, Oct 3, 2023 at 11:44 AM Valerio Vanni <valerio.va...@inwind.it> wrote: > > Il 03/10/2023 04:01, Jeffrey Walton ha scritto: > > >>> Does it mean that you can not boot your *old* Clonezilla live after > >>> booting a latest Clonezilla? If so, it is better to discuss the issue > >>> with shim or grub developers. > >> > >> Yes. If I load a Clonezilla live newer than 3.1.0-11, then I cannot boot > >> anymore 2.8.1-12. > > > > I would probably bet if you booted to Windows, the OS would check the > > Forbidden Signature/Secure Boot DBX and (re)apply KB5012170 [0] as > > required. > > No, it hasn't happened. If you read the entire discussion, it hasn't > happened neither with Windows 10 nor Windows 11. > The only action that breaks secure boot of Clonezilla 2.8.1-12 is > reaching the page of Grub entries in recent Clonezilla and Debian live. > > > So you are probably going to have to deal with this sooner rather than > > later. Both OSes are going to try to update the database with > > signatures of the bad grub programs. Or I would not bet against it. > > > > [0] > > https://support.microsoft.com/en-gb/topic/kb5012170-security-update-for-secure-boot-dbx-72ff5eed-25b4-47c7-be28-c42bd211bb15 > > Yes, no one can tell... but this update has more than six months. > So far it seems that Linux has a larger revocation database. > > And, even if Windows would adopt this larger database, I keep on > considering it bad in a live environment. Be it Live Windows or Live Linux.
Did you see new grub vulnerabilities were just announced? [1] I would not be surprised if both Linux and Windows updated the Forbidden Signature/Secure Boot DBX. You're going to have to deal with it eventually. Restoring UEFI firmware to run an old Clonezilla is not a long term solution. [1] https://www.openwall.com/lists/oss-security/2023/10/04/5 Jeff
