Bug#920144: marked as done (shim-signed: Buster installer images and live image build on Jan/21/2019 can not boot with Secure Boot enabled)

To: Steve McIntyre <steve@einval.com>
Subject: Bug#920144: marked as done (shim-signed: Buster installer images and live image build on Jan/21/2019 can not boot with Secure Boot enabled)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 25 May 2019 01:24:03 +0000
Message-id: <[🔎] handler.920144.D920144.155874727610434.ackdone@bugs.debian.org>
Reply-to: 920144@bugs.debian.org
References: <20190525012016.GA22526@tack.einval.com> <cb0b61bd-2107-35e3-210d-2321f906beae@nchc.org.tw>

Your message dated Sat, 25 May 2019 02:20:16 +0100
with message-id <20190525012016.GA22526@tack.einval.com>
and subject line Re: Bug#920144: shim-signed: Buster installer images and live image build on Jan/21/2019 can not boot with Secure Boot enabled
has caused the Debian Bug report #920144,
regarding shim-signed: Buster installer images and live image build on Jan/21/2019 can not boot with Secure Boot enabled
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
920144: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920144
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: shim-signed: Buster installer images and live image build on Jan/21/2019 can not boot with Secure Boot enabled
From: Steven Shiau <steven@nchc.org.tw>
Date: Tue, 22 Jan 2019 14:41:24 +0800
Message-id: <cb0b61bd-2107-35e3-210d-2321f906beae@nchc.org.tw>

Package: shim-signed
Version: 1.28+nmu1+0.9+1474479173.6c180c6-1
Severity: normal

Dear Maintainer,

On Debian secure boot wiki page:
https://wiki.debian.org/SecureBoot/Testing#Buster_installer_images
It mentioned:
Buster live images
Since 16th Jan 2019, our normal weekly amd64 live images should
live-boot with Secure Boot enabled without needing any special steps.
They should also support installation of a Secure Boot enabled system
directly.

See https://get.debian.org/images/weekly-live-builds/
and
Buster live images

Since 16th Jan 2019, our normal weekly amd64 live images should
live-boot with Secure Boot enabled without needing any special steps.
They should also support installation of a Secure Boot enabled system
directly.

See https://get.debian.org/images/weekly-live-builds/

However, both
https://get.debian.org/images/daily-builds/daily/current/amd64/iso-cd/debian-testing-amd64-netinst.iso
and
https://get.debian.org/images/weekly-live-builds/amd64/iso-hybrid/debian-live-testing-amd64-mate.iso
build on Jan/21/2019 failed to boot with secure boot enabled on VMWare
WS Pro 15 and Lenovo X260.
Attached please check the screenshot when it failed to boot.

In addition, I use live-build 20180925 to create the secure boot ready
Debian Sid ISO with
lb config --uefi-secure-boot enable
and also included grub-efi-amd64-signed, shim-signed,
linux-image-4.19.0-1-amd64

However, the created live ISO also failed to boot with the same error.
If I turned off the secure boot in the BIOS, the created ISO can boot
successfully.

If you need more info, please let me know. Thanks.

Steven

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.18.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages shim-signed depends on:
ii  debconf [debconf-2.0]  1.5.70
ii  grub-efi-amd64-bin     2.02+dfsg1-10
ii  grub2-common           2.02+dfsg1-10
ii  mokutil                0.2.0-1+b3
ii  shim                   0.9+1474479173.6c180c6-1

Versions of packages shim-signed recommends:
pn  secureboot-db  <none>

shim-signed suggests no packages.

-- debconf information excluded

-- 
Steven Shiau <steven _at_ stevenshiau org>
Public Key Server PGP Key ID: 4096R/163E3FB0
Fingerprint: EB1D D5BF 6F88 820B BCF5  356C 8E94 C9CD 163E 3FB0

Attachment: shim-signed-failed.png
Description: PNG image

--- End Message ---

--- Begin Message ---

To: Steven Shiau <steven@nchc.org.tw>, 920144-done@bugs.debian.org
Subject: Re: Bug#920144: shim-signed: Buster installer images and live image build on Jan/21/2019 can not boot with Secure Boot enabled
From: Steve McIntyre <steve@einval.com>
Date: Sat, 25 May 2019 02:20:16 +0100
Message-id: <20190525012016.GA22526@tack.einval.com>
In-reply-to: <20190323184841.GA2776@tack.einval.com>
References: <cb0b61bd-2107-35e3-210d-2321f906beae@nchc.org.tw> <20190323184841.GA2776@tack.einval.com>

And things should be working now after all the uploads happeneds, so
I'm closing this.

On Sat, Mar 23, 2019 at 06:48:41PM +0000, Steve McIntyre wrote:
>On Tue, Jan 22, 2019 at 02:41:24PM +0800, Steven Shiau wrote:
>>Package: shim-signed
>>Version: 1.28+nmu1+0.9+1474479173.6c180c6-1
>>Severity: normal
>>
>>Dear Maintainer,
>>
>>On Debian secure boot wiki page:
>>https://wiki.debian.org/SecureBoot/Testing#Buster_installer_images
>>It mentioned:
>>Buster live images
>>Since 16th Jan 2019, our normal weekly amd64 live images should
>>live-boot with Secure Boot enabled without needing any special steps.
>>They should also support installation of a Secure Boot enabled system
>>directly.
>>
>>See https://get.debian.org/images/weekly-live-builds/
>>and
>>Buster live images
>>
>>Since 16th Jan 2019, our normal weekly amd64 live images should
>>live-boot with Secure Boot enabled without needing any special steps.
>>They should also support installation of a Secure Boot enabled system
>>directly.
>>
>>See https://get.debian.org/images/weekly-live-builds/
>>
>>However, both
>>https://get.debian.org/images/daily-builds/daily/current/amd64/iso-cd/debian-testing-amd64-netinst.iso
>>and
>>https://get.debian.org/images/weekly-live-builds/amd64/iso-hybrid/debian-live-testing-amd64-mate.iso
>>build on Jan/21/2019 failed to boot with secure boot enabled on VMWare
>>WS Pro 15 and Lenovo X260.
>>Attached please check the screenshot when it failed to boot.
>>
>>In addition, I use live-build 20180925 to create the secure boot ready
>>Debian Sid ISO with
>>lb config --uefi-secure-boot enable
>>and also included grub-efi-amd64-signed, shim-signed,
>>linux-image-4.19.0-1-amd64
>>
>>However, the created live ISO also failed to boot with the same error.
>>If I turned off the secure boot in the BIOS, the created ISO can boot
>>successfully.
>
>Apologies, this was a mistake on my part. We were still using our test
>key for signing our packaged EFI binaries (grub, linux, etc.) and I'd
>missed that. Things should be fixed really soon...
>
>-- 
>Steve McIntyre, Cambridge, UK.                                steve@einval.com
>"When C++ is your hammer, everything looks like a thumb." -- Steven M. Haflich
-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
You lock the door
And throw away the key
There's someone in my head but it's not me

--- End Message ---

Reply to:

Prev by Date: Re: Bug#928750 - Bug in grubx64.efi triggered by shim?
Next by Date: Bug#911352: shim-signed: missing Microsoft-signed version for UEFI 32bit
Previous by thread: Processed: [bts-link] source package shim-signed
Next by thread: Bug#911352: shim-signed: missing Microsoft-signed version for UEFI 32bit
Index(es):
- Date
- Thread