Secure Boot Violation / Invalid Signature Detected after upgrading to Proxmox 9.2

Darkbotic

Member
Jul 10, 2024
83
17
8
1779479254228.png

Now it won't boot unless I disable Secure Boot.
I think it's related to the 2023 CA Keys.
Probably 9.2 is using the 2023 but my BIOS only has the 2011 keys.
 
  • Like
Reactions: Sunilkumar
For now, I think I found the issue. The new shim is signed with both 2011 and 2023 keys and my pc only has the 2011 keys. For some reason my PC is rejecting the shim signed with both keys so I had to remove the 2023 signature. Maybe downgrading the shim to the previous one should also work.

Any Proxmox devs around here might benefit from this finding. If you read this, please reply.
 
  • Like
Reactions: Sunilkumar
In my case I'm just a home labber so not a business using high end or enterprise equipment.
I'm using a HP EliteDesk 800 G1 TWR computer.
This PC doesn't have the 2023 CA keys. Only 2011.
I have another computer, same model, that I had to upgrade the db, dbx, kek and pk manually using this script and these keys but that script only works on Windows. I was trying to do the same from the Proxmox Terminal but couldn't.
Someone recommended using this to update it but I still have not tested it.

Here are the details you requested:

Vendor: Hewlett-Packard
Version: L01 v02.78
Release: 02/20/2020

Product: 18E4
Vendor: Hewlett-Packard
 
  • Like
Reactions: Sunilkumar
Hmm, OK, seems like this BIOS signature checking is broken, if you got some time and nerves you might want contact HP w.r.t. this, they are the ones that can help best. We'll look out for any other reports or findings to ensure we did not miss anything on our side, but in general the approach is relatively simple and if it wouldn't work for a widespread amount of HW, there would be much much more reports here and also at Debian's and other Distro channels. As we all basically use the same aproach, we share a comon source package here, well - all SHIM distributors do, it's an requirement to get signed. So for now I cannot really help you, I'm afraid.

FWIW, there's also a wiki article for how to setup your own secure boot infra on Proxmox projects, it's a bit involved though: https://pve.proxmox.com/wiki/Secure_Boot_Setup
 
  • Like
Reactions: Sunilkumar
Hi,

if you got some time and nerves you might want contact HP w.r.t. this, they are the ones that can help best.
Not sure, they ditched old computers (produced in 2018 and before, see https://support.hp.com/us-en/document/ish_13070353-13070429-16), and they will not provide any BIOS update (i know cause we have the issue with Windows instead of proxmox).

And even their newer models can have issues (with some specific BIOS versions) with the "Enable MS UEFI CA key" option to boot on Linux OS (get got some cases with our CloneZilla server, based and Debian)

Best regards,
 
Are the new shims already available? I asked about this recently:


I did a full update on my proxmox host (now running 9.2.2) and I can see that the shims are still only signed by the 2011 certs
 
  • Like
Reactions: Sunilkumar
Are the new shims already available? I asked about this recently:


I did a full update on my proxmox host (now running 9.2.2) and I can see that the shims are still only signed by the 2011 certs
yes, new shims are available now.
 
  • Like
Reactions: Sunilkumar
Thank you t.lamprecht
Sadly, as janus57 mentioned, currently HP doesn't want to provide BIOS updates.
I'm going to try the recommendation I got to see if I can update the Certs without a BIOS update.
you should be able to enroll the keys using your bios, hopefully. alternatively, deploying your own PK via setup mode should also work, then you can sign all the key/cert updates you want yourself ;)
 
  • Like
Reactions: Sunilkumar
yes, that is true. systems with such broken implementations will either need to roll their own SB setup (in which case the admin can decide which signatures to put on the booted shim binary) or disable SB.
 
@fabian @t.lamprecht
Trying to contact HP was a dead end so I made a backup of my boot drive and then tried using this UEFI Shell that includes Mosby which allowed me to use the BIOS Setup Mode to deploy the new Microsoft UEFI CA keys along with my own Pk and revoke the old 2011 keys.

After doing that, I enabled Secure Boot and I tested it by trying to install Windows 11 using the latest ISO available, but as expected, that ISO didn't boot because, as of today, Microsoft is still signing ISO's with the old keys instead of the new one so that meant the old 2011 keys were revoked properly by Mosby.
I then I tried booting using the latest Proxmox ISO but it didn't work for some reason, and yes, I verified the checksum. Three times.
Finally, I tried using the latest Proxmox Backup Server ISO and it booted just fine. Great! Problem solved right? Well, actually no...

After the installation, it rebooted and it booted just fine with Secure Boot turned on. However, after booting, I went to the Web GUI and updated PBS.
That update included the latest shim. The update went fine and everything got installed properly but after I rebooted, low and behold, once again, I got the Secure Boot Violation screen and it refused to boot unless I turn off Secure Boot.

So it looks like, even though I can install Proxmox Backup Server just fine with the latest ISO, as soon as it gets updated, it doesn't boot.

It looks like the difference between the Proxmox 9.2-1 and PBS 4.2-1 ISO's can be found in /efi/boot/bootx64.efi
Using sbverify --list I can see that:
The PVE ISO has 2 signatures: Microsoft Corporation UEFI CA 2011 and Microsoft UEFI CA 2023
The PBS ISO only has 1 signature: Microsoft Corporation UEFI CA 2011
So it looks like it doesn't work when there are 2 signatures instead of just 1.

Is there anything else I should try? I can do whatever you need me to do since I already have a backup of my system and I don't mind tinkering.
 
Last edited:
I've seen similar messages on HP Elitedesks when I want to install a new OS such as Proxmox itself or even just boot off Ventoy so I can start the install. In the bios I disabled everything having to do with secure boot, UEFI etc and it eventually went away, took a few tries, it's like it doesn't save the first time and you have to go back and do it a few times.
 
I've seen similar messages on HP Elitedesks when I want to install a new OS such as Proxmox itself or even just boot off Ventoy so I can start the install. In the bios I disabled everything having to do with secure boot, UEFI etc and it eventually went away, took a few tries, it's like it doesn't save the first time and you have to go back and do it a few times.
Hey Squirrel. Thanks for the tip.
Yeah, everything works when I disable Secure Boot. But I'm trying to find a fix without having to disable it.