Secure Boot Violation / Invalid Signature Detected after upgrading to Proxmox 9.2
- Thread starter Darkbotic
- Start date
For now, I think I found the issue. The new shim is signed with both 2011 and 2023 keys and my pc only has the 2011 keys. For some reason my PC is rejecting the shim signed with both keys so I had to remove the 2023 signature. Maybe downgrading the shim to the previous one should also work.
Any Proxmox devs around here might benefit from this finding. If you read this, please reply.
Any Proxmox devs around here might benefit from this finding. If you read this, please reply.
In my case I'm just a home labber so not a business using high end or enterprise equipment.
I'm using a HP EliteDesk 800 G1 TWR computer.
This PC doesn't have the 2023 CA keys. Only 2011.
I have another computer, same model, that I had to upgrade the db, dbx, kek and pk manually using this script and these keys but that script only works on Windows. I was trying to do the same from the Proxmox Terminal but couldn't.
Someone recommended using this to update it but I still have not tested it.
Here are the details you requested:
Vendor: Hewlett-Packard
Version: L01 v02.78
Release: 02/20/2020
Product: 18E4
Vendor: Hewlett-Packard
I'm using a HP EliteDesk 800 G1 TWR computer.
This PC doesn't have the 2023 CA keys. Only 2011.
I have another computer, same model, that I had to upgrade the db, dbx, kek and pk manually using this script and these keys but that script only works on Windows. I was trying to do the same from the Proxmox Terminal but couldn't.
Someone recommended using this to update it but I still have not tested it.
Here are the details you requested:
Vendor: Hewlett-Packard
Version: L01 v02.78
Release: 02/20/2020
Product: 18E4
Vendor: Hewlett-Packard
Hmm, OK, seems like this BIOS signature checking is broken, if you got some time and nerves you might want contact HP w.r.t. this, they are the ones that can help best. We'll look out for any other reports or findings to ensure we did not miss anything on our side, but in general the approach is relatively simple and if it wouldn't work for a widespread amount of HW, there would be much much more reports here and also at Debian's and other Distro channels. As we all basically use the same aproach, we share a comon source package here, well - all SHIM distributors do, it's an requirement to get signed. So for now I cannot really help you, I'm afraid.
FWIW, there's also a wiki article for how to setup your own secure boot infra on Proxmox projects, it's a bit involved though: https://pve.proxmox.com/wiki/Secure_Boot_Setup
FWIW, there's also a wiki article for how to setup your own secure boot infra on Proxmox projects, it's a bit involved though: https://pve.proxmox.com/wiki/Secure_Boot_Setup