[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian live boot corrupting secure boot

On 03/10/2023 01:34, Valerio Vanni wrote:

Il 02/10/2023 18:45, Max Nikulin ha scritto:
But neither Asus (bios from start of September) nor Microsoft (Windows 11) do that blacklisting. 

Do you mean Windows install on hard drive or Windows install image?

should be "installed"---------^
Machine comes with Windows 10 pre installed, and then it's updated from Windows update. Then I installed Windows 11 with upgrade assistant. 
So far, no blacklist of old Clonezilla.
Do you mean that installing Windows 10 or 11 from scratch could behave differently?
I am curious if just booting a recent media published by Microsoft (not install, just booting till first dialog) may change secure boot keys. If I have got you right, Windows with all updates installed still allows to boot old Clonezilla. 

I just have spotted in the news
https://security-tracker.debian.org/tracker/CVE-2023-4692
"Crafted file system images can cause heap-based buffer overflow and may allow arbitrary code execution and secure boot bypass" 

and a related link

https://github.com/rhboot/shim/blob/main/SBAT.md
Secure Boot Advanced Targeting
If firmware has the "EFI shell" option then you may try "bcfg boot dump -v". Unsure if it is possible to redirect output to a file. 

I'll try. Is there nothing inside Linux efi tools?
Sorry, your question is unclear for me. I was trying to suggest a way to inspect UEFI boot variables without disturbing its state. If Linux images may do something with secure boot keys then I see the following alternatives: 
- Firmware may have EFI shell boot option included
- Perhaps there are some tools for Windows
Reply to: