Bug#990082: marked as done (High chance of boot problems with buster's version of arm64 shim)

To: Steve McIntyre <93sam@debian.org>
Subject: Bug#990082: marked as done (High chance of boot problems with buster's version of arm64 shim)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Wed, 23 Jun 2021 18:21:05 +0000
Message-id: <[🔎] handler.990082.D990082.162447233430178.ackdone@bugs.debian.org>
Reply-to: 990082@bugs.debian.org
References: <E1lw7Sd-0004Ms-LF@fasolo.debian.org> <[🔎] 162413335153.26619.11443518970058624972.reportbug@tack.local>

Your message dated Wed, 23 Jun 2021 18:18:51 +0000
with message-id <E1lw7Sd-0004Ms-LF@fasolo.debian.org>
and subject line Bug#990082: fixed in shim 15.4-6
has caused the Debian Bug report #990082,
regarding High chance of boot problems with buster's version of arm64 shim
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
990082: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990082
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: High chance of boot problems with buster's version of arm64 shim
From: Steve McIntyre <steve@einval.com>
Date: Sat, 19 Jun 2021 21:09:11 +0100
Message-id: <[🔎] 162413335153.26619.11443518970058624972.reportbug@tack.local>

Package: shim-signed
Version: 1.36~1+15.4-5~deb10u1
Severity: grave

Argh.

In pre-release testing I found problems with shim on signed versions
of shim on arm64. The shim binary crashes very early (Synchronous
Exception). Because of that problem, I took the hard decision to
disable Secure Boot support for arm64 in Debian Buster until a
solution could be found:

  https://wiki.debian.org/SecureBoot#arm64_problems

In testing a new build to go into Buster, I found that non-signed
versions were working fine on various machines. Unfortunately, it
seems that the boot issues might be affected by environment. Trying
the same binary build today as part of the 10.10 point release,
booting an installer image crashes repeatably in a VM. It also seems
that at least one of Debian's own arm64 hosts has been similarly
affected. :-(

Arm64 users are **strongly** advised to be careful about upgrading to
the latest Buster point release (10.10). If upgrading immediately, it
is recommended to disable remove shim-signed and reinstall GRUB on those
systems to ensure that they will continue to boot:

# apt-get remove shim-signed
# dpkg --reconfigure grub-efi-amd64

and disable Secure Boot in their system firmware if it's enabled.

I'm working on a more user-friendly fix now, and I hope to push it out
via the Buster security archive shortly. This will still not be
*working* Secure Boot for arm64, as we're still awaiting better
toolchain support to make that work.

-- System Information:
Debian Release: 10.9
  APT prefers stable-debug
  APT policy: (500, 'stable-debug'), (500, 'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-0.bpo.5-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_CPU_OUT_OF_SPEC
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages shim-signed depends on:
ii  grub-efi-amd64-bin         2.02+dfsg1-20+deb10u4
ii  grub2-common               2.02+dfsg1-20+deb10u4
ii  shim-helpers-amd64-signed  1+15.4+2~deb10u1

Versions of packages shim-signed recommends:
pn  secureboot-db  <none>

shim-signed suggests no packages.

-- debconf information excluded

--- End Message ---

--- Begin Message ---

To: 990082-close@bugs.debian.org
Subject: Bug#990082: fixed in shim 15.4-6
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Wed, 23 Jun 2021 18:18:51 +0000
Message-id: <E1lw7Sd-0004Ms-LF@fasolo.debian.org>
Reply-to: Steve McIntyre <93sam@debian.org>

Source: shim
Source-Version: 15.4-6
Done: Steve McIntyre <93sam@debian.org>

We believe that the bug you reported is fixed in the latest version of
shim, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 990082@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve McIntyre <93sam@debian.org> (supplier of updated shim package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 23 Jun 2021 19:03:54 +0100
Source: shim
Architecture: source
Version: 15.4-6
Distribution: unstable
Urgency: high
Maintainer: Debian EFI team <debian-efi@lists.debian.org>
Changed-By: Steve McIntyre <93sam@debian.org>
Closes: 989962 990082 990158 990190
Changes:
 shim (15.4-6) unstable; urgency=high
 .
   * Add arm64 patch to tweak section layout and stop crashing
     problems. Upstream issue #371. Closes: #990082, #990190
   * In insecure mode, don't abort if we can't create the MokListXRT
     variable. Upstream issue #372. Closes: #989962, #990158
Checksums-Sha1:
 2112b70489b4660c77eeb63207f54628fd0c5c04 2300 shim_15.4-6.dsc
 a2242f538b3f7e826b8ee78ef8caa49a9e766643 33932 shim_15.4-6.debian.tar.xz
 0409d674a6becceb329de2e29f8561fdd0ea0fdd 6054 shim_15.4-6_source.buildinfo
Checksums-Sha256:
 0316b340550238a3fb4cbb2a2b2a736fc93ba460327000032c1e683ee1db8831 2300 shim_15.4-6.dsc
 624357f05fdbf212523d9adcc6c4f92c03b442b3fb76732576ab56c756d8834a 33932 shim_15.4-6.debian.tar.xz
 dfb64efa1657ea734dc16cb07f9e497faa23cd11a58420e38bc62b21a38fefcf 6054 shim_15.4-6_source.buildinfo
Files:
 55b09f08418b65e28a14bbb7a27bfbda 2300 admin optional shim_15.4-6.dsc
 99e10023060aea0b923d3f566b415554 33932 admin optional shim_15.4-6.debian.tar.xz
 e41eaf923d9217c0afc50ed5177ab2d3 6054 admin optional shim_15.4-6_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCAAvFiEEzrtSMB1hfpEDkP4WWHl5VzRCaE4FAmDTeNARHDkzc2FtQGRl
Ymlhbi5vcmcACgkQWHl5VzRCaE4z4g//X9j9XrMkhJ2E3nsNozPMbz8jxzM92QCA
ltWZEQ+f3x/3AzF6qSbA7zeScwTQXXx2kwpYz1kVc6eI1xakD7TFMeNEf/DM5NPL
LK36OSe13DgqxqMj38jbhKr9l17rxcqasuRbjYSd+4DtQY8+4gBd6R+jdsjhdi03
FNRhiZIKX2aQLBZ1vCBkSdf49bAfooR8U/ylGhztZkbV3Kx1RW2Rt5dJofaIt7Q3
icU1hm6T6HG4hpQLnpSk3RNEvfLa/RYTqaAW9dJLTurd2e9iKHBeRtstYOxPT3hb
E9cMVs2IVlYOek5Lt5Lh8ePlkWIYcZpR+a8u5Puri8jxFV62iHhKXjE7nBD9nERM
KiNoKTdzUEqe0KFv86/d7sg6J4JKCeoO62ZJZXfRPRCTi2S3xW+AMZjECTEsAQbu
vVEiYkPK6WTt/WpiO48QjeEsji0LglrQj3E5TfnebSqnIyJAlma2ebX4KlR0ZpEj
hgdVW8rgPsmg1UqdP8pT9NLDr0dBbFWXmw/Ra5SJpRGmriP6CdxVcOwjcOS5kT4X
zQ2/DbcJV7Uv4iks8Ar8HNfwXFiMOW4Zq74xIeO01jh2jjkSu3jramN4uyIY3tM2
TwdnEI2N/gVitOiFQcLDyorkEeZibXDBG4IRi53StrCkIkq/7DQ6GIDhxWyZ67d8
ej/7spFtnSs=
=b3wE
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

References:
- Bug#990082: High chance of boot problems with buster's version of arm64 shim
  - From: Steve McIntyre <steve@einval.com>

Prev by Date: Bug#989962: marked as done (debian-bullseye-DI-rc2-amd64-DVD-1.iso image on flash media flash fails to boot on a system that does not support secure boot)
Next by Date: Bug#990158: marked as done (shim-signed-common: No UEFI boot with error "Could not create MokListXRT")
Previous by thread: Bug#990082: High chance of boot problems with buster's version of arm64 shim
Next by thread: Bug#990082: marked as done (High chance of boot problems with buster's version of arm64 shim)
Index(es):
- Date
- Thread