[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#990158: shim-signed-common: No UEFI boot with error "Could not create MokListXRT"

On Tue, Jun 22, 2021 at 11:47:22AM +0200, Ayke Halder wrote:
>> On Mon, Jun 21, 2021 at 09:00:15PM +0200, Ayke Halder wrote:
>> > Package: shim-signed-common
>> > Version: 1.33+15+1533136590.3beb971-7
>> > Severity: critical
>> > Justification: breaks the whole system
>> > 
>> > Dear Maintainer,
>> > 
>> > ## What led up to the situation?
>> > 
>> > Upgrade:
>> > 
>> > * shim-signed:amd64 (1.33+15+1533136590.3beb971-7,
>> > 1.36~1+deb10u1+15.4-5~deb10u1)
>> > * shim-signed-common:amd64 (1.33+15+1533136590.3beb971-7,
>> > 1.36~1+deb10u1+15.4-5~deb10u1)
>> > 
>> > System: Dell T5600 with BIOS Revision A19
>> > 
>> > 
>> > ## What was the outcome of this action?
>> > 
>> > System is unbootable on booting via UEFI. System shows error message and then
>> > powers off immediately:
>> > 
>> > "Could not create MokListXRT: Out of Resources
>> > Something has gone seriously wrong: import_mok_state() failed: Out of
>> > Resources"
>> > 
>> > 
>> > ## What outcome did you expect instead?
>> > 
>> > A normal booting system loading GRUB.
>> > 
>> > 
>> > ## Also reproducible with Debian Live-Installations-Image
>> > 
>> > On affected hardware like "Dell T5600" doing a UEFI boot from USB with …
>> > 
>> > * debian-live-10.10.0-amd64-standard.iso does *not* work.
>> > * debian-live-10.9.0-amd64-standard.iso works.
>> > 
>> > 
>> > ## Related resources
>> > 
>> > Might be related to:
>> > 
>> > * https://bugzilla.suse.com/show_bug.cgi?id=1185261
>> Yes, it looks like exactly the same problem. :-(
>> 
>> Several of the shim maintainers in various distributions are now
>> seeing reports like this. It seems that lots of machines are short of
>> space to store the new MokListXRT variable. Since the buster update
>> this weekend, yours is the second problem report I've seen.
>> 
>> Ubuntu have a patch to disable the variable mirroring here. I was not
>> expecting we'd need it, but it looks like I was wrong.
>> 
>> In terms of making your system boot, I'd suggest temporarily one of:
>> 
>>   * switch back to an older shim-signed package
>>   * disable Secure Boot and remove shim-signed
>> 
>
>I switched back to an older package of shim-signed and shim-signed-common.

ACK, that's the best thing for now.

>One caveat:
>I could not get the older package version via the official package repository
>anymore. Luckily I still had a copy of the old package in a local repository
>mirror.

OK. There's one thing I possibly should have mentioned here, then!
https://snapshot.debian.org/ carries ~all the packages that are ever
uploaded to Debian, so you should almost always be able to find older
packages there. I use it quite frequently as a developer, but I guess
it's not so well know amongst users!

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
"I suspect most samba developers are already technically insane... Of
 course, since many of them are Australians, you can't tell." -- Linus Torvalds
Reply to: