SBAT - Hint to fix problem

[Rainer Friedrich]

Hello, run into the secure problem on two computers.

Use Clonezilla from external device and after the latest windows update it did not boot anymore (on one device it did but a week later it did not anymore). Windowsupdate added more boot loader to the blocked one, had it in 2022 also on two computers. Interestingly when I tried the newest NetInst.ISO from Debian to boot it failed, because the loaders were to old, the loaders of the newest clonezilla are "young" enough and look like they were signed with newer sig's so that they will be accepted by secure boot.

Here what I did to fix it (use at own risk):

Downloaded 3.1.3 Clonezilla as ZIP-File
Replaced the contents of the grub directory (save Your grub.cfg if You changed it!)
Replaced the contents of \live with the newest live system

The splash screen did not show the selected png-file (but this is cosmetic, i fixed ith by manually merging/replacing part of the beginning of grub.cfg with the contents I found in the grub.cfg from Debian-NetInst.ISO)

I changed it to:

#
set pref=/boot/grub
set timeout="20"

if [ x$feature_default_font_path = xy ] ; then
   font=unicode
else
   font=$prefix/font.pf2
fi

if loadfont $font ; then
  set gfxmode=1024x800
  set gfxpayload=keep
  insmod efi_gop
  insmod efi_uga
  insmod video_bochs
  insmod video_cirrus
  insmod gfxterm
  insmod png
  terminal_output gfxterm
fi

if background_image $pref/ocswp-grub2.png; then
  set color_normal=black/black
  set color_highlight=magenta/black
else
  set color_normal=cyan/blue
  set color_highlight=white/blue
fi

insmod play

I tried it and I looked fine, maybe this helps someone, but: try at Your own risk!

Or create a new medium, copy your backups on it and restore changes you did in grub.cfg back to the new medium.

cu
F. :-)

[Steven Shiau]

Thanks for sharing that.
So you meant you has the issue (https://www.techpowerup.com/325849/dual-boot-linux-users-need-to-update-systems-due-to-grub-sbat-policy-changes-in-windows) with old version of Clonezilla live, but the latest version of Clonezilla live does not have?
If so, could you please let us know the version numbers of both working and not working Clonezilla live?

Steven

[Rainer Friedrich]

Yes the problem that arose with the windows update in august. The non working? Was from 2022/2023 AFAIK. Working is 3.1.3, stable, Debian. Seems like the EFI-bootloader is from july and is signed so that SBAT works. Replaced the live system also, AFAIK musst the kernel loader also be signed accordingly. Tried on my HP SFF, use Clonezilla from external HDD for automated backup/restore, seems all well.

Best will be, in my opinion, as described, to replace efi loader, grub (after saving changes in grub.cfg), replacing \live, restoring changes to grub.cfg.

Had trouble with the splash image and change like in my post. Had in another thread time ago the problem with the splash. This time i got the grub.cfg from debian netinst and merged it with my config. Yesterday evening the restore went like breeze.

Don't know how You build the release, seems You fetched the latest efi loader which seems be newer than in the debian netinst build.

Had this trouble in 2022(?), then also bootloader sigs were revoked, had to remember how I fixed it in 2022 (and documented it this time for me).

[Steven Shiau]

Hi Rainer,
Got it. Thanks for providing those info.
Yes, we create Clonezilla live with the latest packages from Debian Sid repo. Hence the Clonezilla live should have the latest key for grub and its related packages.

Steven

[Sainthol]

Hello,

Is there a solution for clonezilla server.
Thanks in advance.
Best regards.

[Steven Shiau]

Yes, you can use this mode of Clonezilla SE:
https://clonezilla.org/clonezilla-SE/use_clonezilla_live_in_drbl.php

Steven