Menu

SecureBoot fails after restoring from image

Clonezilla live
Jonas Deitmerg
2021-07-08
2021-07-17

  • Jonas Deitmerg

    Jonas Deitmerg - 2021-07-08

    Hi,

    I have an issue restoring a Debian installation: After restoring, the PC fails to boot with a SecureBoot violation warning.

    Steps to reproduce

    1. On a new or factory-reset PC, enable SecureBoot, install Debian 10.9.0 Nothing special from what I can tell.
    2. Create image. I use boot parameters to automate this step:
      ocs_live_run="ocs-sr -q2 -j2 -z1p -i 4096 -sfsck -scs -senc -p poweroff savedisk os-image sda"
    3. On a new or factory-reset PC, enable SecureBoot, restore from image. Again using boot parameters:
      ocs_live_run="ocs-sr -e2 -e -g auto -icds -ssnf -j2 -scr -srel -ps -p choose restoredisk os-image sda"
    4. Reboot into restored system. SecureBoot fails with a big red warning.

    I'm using a thumb drive created from clonezilla-live-2.7.2-39-amd64.zip.
    Note that at least for my PC a BIOS-level reset is not enough in steps 1 and 3. Instead I have to perform a CMOS reset (using a jumper) or use a new PC.

    Analysis of the problem

    Apparently CloneZilla does not restore the boot entries in NVRAM as expected. These are the contents of efi-nvram.dat in the image folder:

    BootCurrent: 0002
Timeout: 1 seconds
BootOrder: 0002,0003,0000,0001
Boot0000* debian    HD(1,GPT,3a56740b-0c1f-40a6-90b3-bf3b956150ba,0x800,0x100000)/File(\EFI\DEBIAN\SHIMX64.EFI)
Boot0001* debian    HD(1,GPT,3a56740b-0c1f-40a6-90b3-bf3b956150ba,0x800,0x100000)/File(\EFI\DEBIAN\GRUBX64.EFI)..BO
Boot0002* UEFI: KingstonDataTraveler 2.0PMAP, Partition 1   PciRoot(0x0)/Pci(0x15,0x0)/USB(2,0)/HD(1,MBR,0x9342908,0x800,0x15d800)..BO
Boot0003* UEFI: KingstonDataTraveler 2.0PMAP, Partition 2   PciRoot(0x0)/Pci(0x15,0x0)/USB(2,0)/HD(2,MBR,0x9342908,0x15e000,0x1b79000)..BO

    Entries 2 and 3 are not important, they existed in NVRAM because CloneZilla was booted from a thumb drive in step 2. During step 3, only one boot entry is created in NVRAM:

    Boot0000* debian        HD(1,GPT,3a56740b-0c1f-40a6-90b3-bf3b956150ba,0x800,0x100000)/File(\EFI\DEBIAN\GRUBX64.EFI)

    As grub is not signed for SecureBoot, grubx64.efi cannot be run while SecureBoot is enabled.

    Expected behavior

    All NVRAM boot entries are recreated according to efi-nvram.dat. Alternatively, they are added to existing boot entries, keeping the order of the entries in efi-nvram.dat intact.

    Workaround

    I've added the following boot parameter to fix the issue temporarily:

    ocs_postrun="sudo efibootmgr -c -l \\\\EFI\\\\debian\\\\shimx64.efi -L debian-shim"
     

    Last edit: Jonas Deitmerg 2021-07-08

Log in to post a comment.

MongoDB Logo MongoDB