Bug#990082: High chance of boot problems with buster's version of arm64 shim
Package: shim-signed
Version: 1.36~1+15.4-5~deb10u1
Severity: grave
Argh.
In pre-release testing I found problems with shim on signed versions
of shim on arm64. The shim binary crashes very early (Synchronous
Exception). Because of that problem, I took the hard decision to
disable Secure Boot support for arm64 in Debian Buster until a
solution could be found:
https://wiki.debian.org/SecureBoot#arm64_problems
In testing a new build to go into Buster, I found that non-signed
versions were working fine on various machines. Unfortunately, it
seems that the boot issues might be affected by environment. Trying
the same binary build today as part of the 10.10 point release,
booting an installer image crashes repeatably in a VM. It also seems
that at least one of Debian's own arm64 hosts has been similarly
affected. :-(
Arm64 users are **strongly** advised to be careful about upgrading to
the latest Buster point release (10.10). If upgrading immediately, it
is recommended to disable remove shim-signed and reinstall GRUB on those
systems to ensure that they will continue to boot:
# apt-get remove shim-signed
# dpkg --reconfigure grub-efi-amd64
and disable Secure Boot in their system firmware if it's enabled.
I'm working on a more user-friendly fix now, and I hope to push it out
via the Buster security archive shortly. This will still not be
*working* Secure Boot for arm64, as we're still awaiting better
toolchain support to make that work.
-- System Information:
Debian Release: 10.9
APT prefers stable-debug
APT policy: (500, 'stable-debug'), (500, 'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-0.bpo.5-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_CPU_OUT_OF_SPEC
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages shim-signed depends on:
ii grub-efi-amd64-bin 2.02+dfsg1-20+deb10u4
ii grub2-common 2.02+dfsg1-20+deb10u4
ii shim-helpers-amd64-signed 1+15.4+2~deb10u1
Versions of packages shim-signed recommends:
pn secureboot-db <none>
shim-signed suggests no packages.
-- debconf information excluded
Reply to: