[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#990082: marked as done (High chance of boot problems with buster's version of arm64 shim)



Your message dated Wed, 23 Jun 2021 19:17:07 +0000
with message-id <E1lw8N1-000CGu-Ea@fasolo.debian.org>
and subject line Bug#990082: fixed in shim 15.4-6~deb10u1
has caused the Debian Bug report #990082,
regarding High chance of boot problems with buster's version of arm64 shim
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
990082: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990082
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: shim-signed
Version: 1.36~1+15.4-5~deb10u1
Severity: grave

Argh.

In pre-release testing I found problems with shim on signed versions
of shim on arm64. The shim binary crashes very early (Synchronous
Exception). Because of that problem, I took the hard decision to
disable Secure Boot support for arm64 in Debian Buster until a
solution could be found:

  https://wiki.debian.org/SecureBoot#arm64_problems

In testing a new build to go into Buster, I found that non-signed
versions were working fine on various machines. Unfortunately, it
seems that the boot issues might be affected by environment. Trying
the same binary build today as part of the 10.10 point release,
booting an installer image crashes repeatably in a VM. It also seems
that at least one of Debian's own arm64 hosts has been similarly
affected. :-(

Arm64 users are **strongly** advised to be careful about upgrading to
the latest Buster point release (10.10). If upgrading immediately, it
is recommended to disable remove shim-signed and reinstall GRUB on those
systems to ensure that they will continue to boot:

# apt-get remove shim-signed
# dpkg --reconfigure grub-efi-amd64

and disable Secure Boot in their system firmware if it's enabled.

I'm working on a more user-friendly fix now, and I hope to push it out
via the Buster security archive shortly. This will still not be
*working* Secure Boot for arm64, as we're still awaiting better
toolchain support to make that work.

-- System Information:
Debian Release: 10.9
  APT prefers stable-debug
  APT policy: (500, 'stable-debug'), (500, 'stable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-0.bpo.5-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_CPU_OUT_OF_SPEC
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages shim-signed depends on:
ii  grub-efi-amd64-bin         2.02+dfsg1-20+deb10u4
ii  grub2-common               2.02+dfsg1-20+deb10u4
ii  shim-helpers-amd64-signed  1+15.4+2~deb10u1

Versions of packages shim-signed recommends:
pn  secureboot-db  <none>

shim-signed suggests no packages.

-- debconf information excluded

--- End Message ---
--- Begin Message ---
Source: shim
Source-Version: 15.4-6~deb10u1
Done: Steve McIntyre <93sam@debian.org>

We believe that the bug you reported is fixed in the latest version of
shim, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 990082@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve McIntyre <93sam@debian.org> (supplier of updated shim package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 23 Jun 2021 19:08:54 +0100
Source: shim
Architecture: source
Version: 15.4-6~deb10u1
Distribution: buster
Urgency: high
Maintainer: Debian EFI team <debian-efi@lists.debian.org>
Changed-By: Steve McIntyre <93sam@debian.org>
Closes: 989962 990082 990158 990190
Changes:
 shim (15.4-6~deb10u1) buster; urgency=high
 .
   * Add arm64 patch to tweak section layout and stop crashing
     problems. Upstream issue #371. Closes: #990082, #990190
   * In insecure mode, don't abort if we can't create the MokListXRT
     variable. Upstream issue #372. Closes: #989962, #990158
Checksums-Sha1:
 155795ed71243e83b53341566d8ced9a6ff0ead0 2311 shim_15.4-6~deb10u1.dsc
 279f1c7b62a0eefa20e4f1119ab2e5c60f57576f 33940 shim_15.4-6~deb10u1.debian.tar.xz
 efa14875336e625ee536eab6f0d7c126ca48efc1 6076 shim_15.4-6~deb10u1_source.buildinfo
Checksums-Sha256:
 cafe7121920c06bb40c3430e64199e8239b8ca32abb051b8cb43dfbc4df8b58b 2311 shim_15.4-6~deb10u1.dsc
 d7cdf5fb5081b67e90c193d13e979748e127d1441c3be27403482ae342b2f476 33940 shim_15.4-6~deb10u1.debian.tar.xz
 68b72d7f7fbd299ddb422ed1e894483dc5a4229e124dea5887cac58c3774720c 6076 shim_15.4-6~deb10u1_source.buildinfo
Files:
 74e7bc27ef0616638fa8401c96ea139f 2311 admin optional shim_15.4-6~deb10u1.dsc
 83ee03c3871fa207a898c615c19ea5b1 33940 admin optional shim_15.4-6~deb10u1.debian.tar.xz
 9e04225e4f98ff6e06e7fdbd90ba5eb1 6076 admin optional shim_15.4-6~deb10u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCAAvFiEEzrtSMB1hfpEDkP4WWHl5VzRCaE4FAmDTehoRHDkzc2FtQGRl
Ymlhbi5vcmcACgkQWHl5VzRCaE4M9w//d+xBFqYa3kMEp9nIcqFQdsRSNA2kLDrR
bhRgNOli5aVt44YSv/z/yCDrK+TorjtFKyDUqipBgYRNNRhG3svZXQ/9YOTxh63g
/NlOqJPRZJfySgIBE50MstxIP86XkCBZIZctvQcf1kFcEwFdBzI41Hos6jN8a3Ps
+NUFqtxrHdDKL85eZXA33FpT97SHrr+7a1esrlbezdY15i8VFNPAwfwGXzfJeITI
n0bg5pJgnFWRzU2FURRBNK0xMnZu2euToPsBOszQqv+a9F4CPV996vva96mR69OS
KWS4gRDOG0Q3kQb1lRbolHer9KV0uViCScfS7Ky1Z6VDkWbwHQY9OGROCrXcfpZu
SFvVXTfGPQVL0fW3plb/Wh/hcddmsAS+XvzxgC+VTJz+Nnr3B7ZvuVPnsvlQ/VA4
L5IDBXzpUemR5vZM9FOObu9Oic0VSlj0o2obxmEJTAPsBBM6KUBnMXPG95+tSO/H
JSNX/RJ3wVpymjGDrziGOeN09P6nOwspOZGE4oA5aytV++Aw1AerJH46YyUjgMYp
LAU7U2l8USb8obOfEk6w2xuoPdHXxVoisedRzwxQdnhLzZqUcUHB5wHeZ+/Tm2pj
SS0T3HIDo4EY+8KTnhdQgFgtlg4e8x5Cs1MlRmdwsl3XpbPl75Z3ohfTskq/jq9K
t/V0ChbU9Qg=
=81Ex
-----END PGP SIGNATURE-----

--- End Message ---

Reply to: