WARNING! shim-signed on arm64 in buster may fail to boot
Hi folks,
In testing of the 10.10. point release over the weekend, we found a
significant problem with shim-signed on arm64.
In pre-release testing I found problems with shim on signed versions
of shim on arm64. The shim binary crashes very early (Synchronous
Exception). Because of that problem, I took the hard decision to
disable Secure Boot support for arm64 in Debian Buster until a
solution could be found:
https://wiki.debian.org/SecureBoot#arm64_problems
In testing a new build to go into Buster, I found that non-signed
versions were working fine on various machines. Unfortunately, it
seems that the boot issues might be affected by environment. Trying
the same binary build on Saturday as part of the 10.10 point release,
booting an installer image crashes repeatably in a VM. It also seems
that at least one of Debian's own arm64 hosts has been similarly
affected. :-(
Arm64 users are **strongly** advised to be careful about upgrading to
the latest Buster point release (10.10). If upgrading immediately, it
is recommended to disable remove shim-signed and reinstall GRUB on those
systems to ensure that they will continue to boot:
# apt-get remove shim-signed
# dpkg --reconfigure grub-efi-amd64
and disable Secure Boot in their system firmware if it's enabled.
I'm working on a more user-friendly fix now, and I hope to push it out
via the buster-updates archive shortly. This will still not be
*working* Secure Boot for arm64, as we're still awaiting better
toolchain support to make that work.
--
Steve McIntyre, Cambridge, UK. steve@einval.com
"...In the UNIX world, people tend to interpret `non-technical user'
as meaning someone who's only ever written one device driver." -- Daniel Pead
Reply to: