Secure Boot Violation / Invalid Signature Detected after upgrading to Proxmox 9.2

Check in BIOS secure boot section if there is an option for "Allow Microsoft 3rd Party UEFI CA" or similar.
On newer devices (at least from Lenovo) you can't secure boot anything except Windows by default.
By enabling this option you can secure boot the Microsoft signed Linux bootloader shim.

Thanks for the tip.
This option is not available in my case.
 
Thank you @fiona

I think that might be the issue I'm having, which would also affect all HP EliteDesk 800 G1's

Any guidance on how to test it?

This is what I did for now to be able to have Secure Boot enabled:

1) Installed PBS from scratch using the latest ISO.
2) After the installation and BEFORE updating it, I mounted the boot partition with: mount /dev/sda2 /mnt/boot
3) Made a tar with all the files in /mnt/boot/EFI/proxmox
4) Restored the backup of my previous PBS and then booted it with Secure Boot disabled
5) Mounted the boot partition again with: mount /dev/sda2 /mnt/boot
6) Extracted the tar to /mnt/boot/EFI/custom-boot
7) And finally, used this command: efibootmgr --unicode --disk /dev/sda --part 2 --create --label "custom-boot" --loader "\\EFI\\custom-boot\\shimx64.efi"

After that I just enabled secure boot and it worked fine.
However this is not ideal since that shim is signed with the 2011 keys.
I downloaded this https://sources.debian.org/src/shim-signed/1.51/shimx64.efi.signed.MS-2023 and copied it as /mnt/boot/EFI/custom-boot/shimx64.efi but it didn't work. It showed a Security Policy Violation message in the blue MokManager screen.

that last part is to be expected - you cannot boot Proxmox products using a Debian shim, as the shim embeds the certificate used for signing all the vendor specific boot components.

you can use the one from here: https://git.proxmox.com/?p=shim-sig...s/proxmox/trixie;hb=refs/heads/proxmox/trixie

or just strip the 2011 signature from your local copy of shim using "pesign" (you need to repeat this after every update of the shim-signed package)
 
  • Like
Reactions: fiona
that last part is to be expected - you cannot boot Proxmox products using a Debian shim, as the shim embeds the certificate used for signing all the vendor specific boot components.

you can use the one from here: https://git.proxmox.com/?p=shim-sig...s/proxmox/trixie;hb=refs/heads/proxmox/trixie

or just strip the 2011 signature from your local copy of shim using "pesign" (you need to repeat this after every update of the shim-signed package)

Thank you very! Both shims actually work now.
So I guess the issue was actually the dual signature.

So here is what I did:

Code:
mkdir -p /mnt/boot
mount /dev/sda2 /mnt/boot
cp -r /mnt/boot/EFI/proxmox /mnt/boot/EFI/ShimX64-MS-2023
cd /mnt/boot/EFI/ShimX64-MS-2023
curl -L 'https://git.proxmox.com/?p=shim-signed.git;a=blob_plain;f=shimx64.efi.signed.MS-2023;hb=refs/heads/proxmox/trixie' -o shimx64.efi
efibootmgr --unicode --disk /dev/sda --part 2 --create --label "ShimX64-MS-2023" --loader "\\EFI\\ShimX64-MS-2023\\shimx64.efi"
 
  • Like
Reactions: fiona