Bug#989962: shim-signed 1.36~1+deb10u1 fails to boot some systems
I generally install Debian off of DVD or a *.iso copied to flash rather
than an online repository.
That way I get a reproducible install.
Recently, I found that my Debian 10.9 amd64 dvd-1 install stopped
working on the Dell T1600 boot in UEFI mode.
This is the machine that does not support secure boot.
The symptoms were that the install went as expected, but the boot failed
complaining about MOK list being exhausted.
What I discovered was that security updates were being applied during
the install off dvd:
I noticed the message 'applying security updates' that flashed by
briefly during the install from DVD.
I surmise that the version of shim-signed in security.debian.org was
being applied when the ethernet to the cable modem was plugged in.
(the web site shows shim-signed (1.36~1+deb10u1+15.4-5~deb10u1) in
Debian 10 security )
An install if 10.9 off of the same dvd without the ethernet cable
plugged in installed and booted normally.
I'm surprised at this behavior. I would have expected that these
updates would be applied after booting the installed system rather than
during the install.
Using the Dell T1600 and the system installed with no ethernet cable
I copied the shim-signed file from the attachment below into
Then I shut down and rebooted. I could not tell if a MOK message
came up because something flashed by very quickly.
Debian 10.9 booted up as expected.
I hope this fix makes it into the online security repository.
On 6/22/21 2:36 PM, Steve McIntyre wrote:
On Tue, Jun 22, 2021 at 09:20:36PM +0200, Grzegorz Szymaszek wrote:
On Tue, Jun 22, 2021 at 01:35:51PM +0200, Grzegorz Szymaszek wrote:
I have recently upgraded several buster amd64 machines; shim-signed went
up from 1.33 to 1.36~1+deb10u1. […]
FWIW, upgrading to 1.36~1+deb10u2 brings the problem back.
Looks like the same as #990158.
Yes, it's the same problem. I'm testing a fix now. Could you please
verify if this new build fixes the problem you're seeing on your
has a new *unsigned* amd64 shim binary, and a checksum file. If you
would be so kind, please copy that shimx64.efi binary into place on
your system and test it boots OK. It may still complain about resource
failures and "import_mok_state() failed", but should then boot anyway
in non-secure mode.