Now it won't boot unless I disable Secure Boot.
I think it's related to the 2023 CA Keys.
Probably 9.2 is using the 2023 but my BIOS only has the 2011 keys.
Secure Boot Violation / Invalid Signature Detected after upgrading to Proxmox 9.2
- Thread starter Darkbotic
- Start date
Now it won't boot unless I disable Secure Boot.
I think it's related to the 2023 CA Keys.
Probably 9.2 is using the 2023 but my BIOS only has the 2011 keys.
For now, I think I found the issue. The new shim is signed with both 2011 and 2023 keys and my pc only has the 2011 keys. For some reason my PC is rejecting the shim signed with both keys so I had to remove the 2023 signature. Maybe downgrading the shim to the previous one should also work.
Any Proxmox devs around here might benefit from this finding. If you read this, please reply.
Any Proxmox devs around here might benefit from this finding. If you read this, please reply.
In my case I'm just a home labber so not a business using high end or enterprise equipment.
I'm using a HP EliteDesk 800 G1 TWR computer.
This PC doesn't have the 2023 CA keys. Only 2011.
I have another computer, same model, that I had to upgrade the db, dbx, kek and pk manually using this script and these keys but that script only works on Windows. I was trying to do the same from the Proxmox Terminal but couldn't.
Someone recommended using this to update it but I still have not tested it.
Here are the details you requested:
Vendor: Hewlett-Packard
Version: L01 v02.78
Release: 02/20/2020
Product: 18E4
Vendor: Hewlett-Packard
I'm using a HP EliteDesk 800 G1 TWR computer.
This PC doesn't have the 2023 CA keys. Only 2011.
I have another computer, same model, that I had to upgrade the db, dbx, kek and pk manually using this script and these keys but that script only works on Windows. I was trying to do the same from the Proxmox Terminal but couldn't.
Someone recommended using this to update it but I still have not tested it.
Here are the details you requested:
Vendor: Hewlett-Packard
Version: L01 v02.78
Release: 02/20/2020
Product: 18E4
Vendor: Hewlett-Packard
Hmm, OK, seems like this BIOS signature checking is broken, if you got some time and nerves you might want contact HP w.r.t. this, they are the ones that can help best. We'll look out for any other reports or findings to ensure we did not miss anything on our side, but in general the approach is relatively simple and if it wouldn't work for a widespread amount of HW, there would be much much more reports here and also at Debian's and other Distro channels. As we all basically use the same aproach, we share a comon source package here, well - all SHIM distributors do, it's an requirement to get signed. So for now I cannot really help you, I'm afraid.
FWIW, there's also a wiki article for how to setup your own secure boot infra on Proxmox projects, it's a bit involved though: https://pve.proxmox.com/wiki/Secure_Boot_Setup
FWIW, there's also a wiki article for how to setup your own secure boot infra on Proxmox projects, it's a bit involved though: https://pve.proxmox.com/wiki/Secure_Boot_Setup
Hi,
And even their newer models can have issues (with some specific BIOS versions) with the "Enable MS UEFI CA key" option to boot on Linux OS (get got some cases with our CloneZilla server, based and Debian)
Best regards,
Not sure, they ditched old computers (produced in 2018 and before, see https://support.hp.com/us-en/document/ish_13070353-13070429-16), and they will not provide any BIOS update (i know cause we have the issue with Windows instead of proxmox).
And even their newer models can have issues (with some specific BIOS versions) with the "Enable MS UEFI CA key" option to boot on Linux OS (get got some cases with our CloneZilla server, based and Debian)
Best regards,
Thank you t.lamprecht
Sadly, as janus57 mentioned, currently HP doesn't want to provide BIOS updates.
I'm going to try the recommendation I got to see if I can update the Certs without a BIOS update.
Sadly, as janus57 mentioned, currently HP doesn't want to provide BIOS updates.
I'm going to try the recommendation I got to see if I can update the Certs without a BIOS update.
Are the new shims already available? I asked about this recently:
I did a full update on my proxmox host (now running 9.2.2) and I can see that the shims are still only signed by the 2011 certs
I did a full update on my proxmox host (now running 9.2.2) and I can see that the shims are still only signed by the 2011 certs
you should be able to enroll the keys using your bios, hopefully. alternatively, deploying your own PK via setup mode should also work, then you can sign all the key/cert updates you want yourself
Thanks Fabian.
I think the important detail here is that the issue may not simply be “missing 2023 keys”, but specifically how some older HP firmware validates dual-signed EFI binaries.
On this HP EliteDesk 800 G1 (BIOS L01 v02.78), the older shim signed only with the Microsoft 2011 UEFI CA boots correctly with Secure Boot enabled.
However, after upgrading to the newer shim package, Secure Boot immediately fails with “Invalid Signature Detected”, even though the 2011 CA is still present in db.
What makes this interesting is:
I think the important detail here is that the issue may not simply be “missing 2023 keys”, but specifically how some older HP firmware validates dual-signed EFI binaries.
On this HP EliteDesk 800 G1 (BIOS L01 v02.78), the older shim signed only with the Microsoft 2011 UEFI CA boots correctly with Secure Boot enabled.
However, after upgrading to the newer shim package, Secure Boot immediately fails with “Invalid Signature Detected”, even though the 2011 CA is still present in db.
What makes this interesting is:
- removing the 2023 signature from the shim allows boot again,
- which suggests the firmware parser itself may be mishandling multi-signed PE binaries,
- instead of simply lacking the newer CA certificate.
- systems that only need updated db/KEK enrollment,
vs - systems whose firmware incorrectly rejects dual-signed shims entirely.