Bug#990082: High chance of boot problems with buster's version of arm64 shim

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#990082: High chance of boot problems with buster's version of arm64 shim
From: Steve McIntyre <steve@einval.com>
Date: Sat, 19 Jun 2021 21:09:11 +0100
Message-id: <[🔎] 162413335153.26619.11443518970058624972.reportbug@tack.local>
Reply-to: Steve McIntyre <steve@einval.com>, 990082@bugs.debian.org

Package: shim-signed
Version: 1.36~1+15.4-5~deb10u1
Severity: grave

Argh.

In pre-release testing I found problems with shim on signed versions
of shim on arm64. The shim binary crashes very early (Synchronous
Exception). Because of that problem, I took the hard decision to
disable Secure Boot support for arm64 in Debian Buster until a
solution could be found:

  https://wiki.debian.org/SecureBoot#arm64_problems

In testing a new build to go into Buster, I found that non-signed
versions were working fine on various machines. Unfortunately, it
seems that the boot issues might be affected by environment. Trying
the same binary build today as part of the 10.10 point release,
booting an installer image crashes repeatably in a VM. It also seems
that at least one of Debian's own arm64 hosts has been similarly
affected. :-(

Arm64 users are **strongly** advised to be careful about upgrading to
the latest Buster point release (10.10). If upgrading immediately, it
is recommended to disable remove shim-signed and reinstall GRUB on those
systems to ensure that they will continue to boot:

# apt-get remove shim-signed
# dpkg --reconfigure grub-efi-amd64

and disable Secure Boot in their system firmware if it's enabled.

I'm working on a more user-friendly fix now, and I hope to push it out
via the Buster security archive shortly. This will still not be
*working* Secure Boot for arm64, as we're still awaiting better
toolchain support to make that work.

-- System Information:
Debian Release: 10.9
  APT prefers stable-debug
  APT policy: (500, 'stable-debug'), (500, 'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-0.bpo.5-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_CPU_OUT_OF_SPEC
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages shim-signed depends on:
ii  grub-efi-amd64-bin         2.02+dfsg1-20+deb10u4
ii  grub2-common               2.02+dfsg1-20+deb10u4
ii  shim-helpers-amd64-signed  1+15.4+2~deb10u1

Versions of packages shim-signed recommends:
pn  secureboot-db  <none>

shim-signed suggests no packages.

-- debconf information excluded

Reply to:

Follow-Ups:
- Bug#990082: marked as done (High chance of boot problems with buster's version of arm64 shim)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#990082: marked as done (High chance of boot problems with buster's version of arm64 shim)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: Re: Bug#989962: debian-bullseye-DI-rc2-amd64-DVD-1.iso image on flash media flash fails to boot on a system that does not support secure boot
Next by Date: Processed: affects 990082
Previous by thread: Processed: Re: Bug#989962: debian-bullseye-DI-rc2-amd64-DVD-1.iso image on flash media flash fails to boot on a system that does not support secure boot
Next by thread: Bug#990082: marked as done (High chance of boot problems with buster's version of arm64 shim)
Index(es):
- Date
- Thread