Il 11/10/2023 04:13, Max Nikulin ha scritto:
On 11/10/2023 08:46, Valerio Vanni wrote:
Now I've tried Fedora live: it doesn't act like Debian. After it,
I can still boot old Clonezilla. Not only at grub page: I can also
load live environment.
If the Fedora image is fresh enough
Yes, it's version 38.
I add that I tried to make it resident (install on internal disk), and
neither this way it changes anything.
It satisfies Secure Boot requirements, but it doesn't blacklist anything.
So it doesn't seem true what whas said (don't remember by who) at the
start of this thread, that if a system supports SB blacklists older
images for sure.
It seems a choice. A bad choice for a live environment.
then there are some patches either in Fedora or in Debian. Perhaps
the following one
https://sources.debian.org/src/shim/15.7-1/debian/patches/block-grub-sbat3-debian.patch/
> You may check changelog, closed debian bugs, messages in developer
mailing lists for the shim package (shim-signed and shim-unsigned)
and may try to discuss the issue with shim maintainers.
With Fedora Live I could see the difference, using
# mokutil --list-sbat-revocations.
When the system is in one of these states:
-new
-reflashed
-after old clonezilla (grub entries) load
-after Fedora live load or Fedora install
This list is
sbat,1,202103218
After load of grub page of a new Clonezilla (or live Debian) the list
becomes:
sbat,1,2022052400
grub,2
