Bug#990158: shim-signed-common: No UEFI boot with error "Could not create MokListXRT"
On Tue, Jun 22, 2021 at 11:47:22AM +0200, Ayke Halder wrote:
>> On Mon, Jun 21, 2021 at 09:00:15PM +0200, Ayke Halder wrote:
>> > Package: shim-signed-common
>> > Version: 1.33+15+1533136590.3beb971-7
>> > Severity: critical
>> > Justification: breaks the whole system
>> >
>> > Dear Maintainer,
>> >
>> > ## What led up to the situation?
>> >
>> > Upgrade:
>> >
>> > * shim-signed:amd64 (1.33+15+1533136590.3beb971-7,
>> > 1.36~1+deb10u1+15.4-5~deb10u1)
>> > * shim-signed-common:amd64 (1.33+15+1533136590.3beb971-7,
>> > 1.36~1+deb10u1+15.4-5~deb10u1)
>> >
>> > System: Dell T5600 with BIOS Revision A19
>> >
>> >
>> > ## What was the outcome of this action?
>> >
>> > System is unbootable on booting via UEFI. System shows error message and then
>> > powers off immediately:
>> >
>> > "Could not create MokListXRT: Out of Resources
>> > Something has gone seriously wrong: import_mok_state() failed: Out of
>> > Resources"
>> >
>> >
>> > ## What outcome did you expect instead?
>> >
>> > A normal booting system loading GRUB.
>> >
>> >
>> > ## Also reproducible with Debian Live-Installations-Image
>> >
>> > On affected hardware like "Dell T5600" doing a UEFI boot from USB with …
>> >
>> > * debian-live-10.10.0-amd64-standard.iso does *not* work.
>> > * debian-live-10.9.0-amd64-standard.iso works.
>> >
>> >
>> > ## Related resources
>> >
>> > Might be related to:
>> >
>> > * https://bugzilla.suse.com/show_bug.cgi?id=1185261
>> Yes, it looks like exactly the same problem. :-(
>>
>> Several of the shim maintainers in various distributions are now
>> seeing reports like this. It seems that lots of machines are short of
>> space to store the new MokListXRT variable. Since the buster update
>> this weekend, yours is the second problem report I've seen.
>>
>> Ubuntu have a patch to disable the variable mirroring here. I was not
>> expecting we'd need it, but it looks like I was wrong.
>>
>> In terms of making your system boot, I'd suggest temporarily one of:
>>
>> * switch back to an older shim-signed package
>> * disable Secure Boot and remove shim-signed
>>
>
>I switched back to an older package of shim-signed and shim-signed-common.
ACK, that's the best thing for now.
>One caveat:
>I could not get the older package version via the official package repository
>anymore. Luckily I still had a copy of the old package in a local repository
>mirror.
OK. There's one thing I possibly should have mentioned here, then!
https://snapshot.debian.org/ carries ~all the packages that are ever
uploaded to Debian, so you should almost always be able to find older
packages there. I use it quite frequently as a developer, but I guess
it's not so well know amongst users!
--
Steve McIntyre, Cambridge, UK. steve@einval.com
"I suspect most samba developers are already technically insane... Of
course, since many of them are Australians, you can't tell." -- Linus Torvalds
Reply to: