[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#989962: update to the version of shim-signed(Re: Bug#989962: shim-signed 1.36~1+deb10u1 fails to boot some systems)

Updated: the email is incorrect: this is the version shown in Debian 10 security : shim-signed (1.36~1+deb10u2+15.4-5~deb10u1)

On 6/28/21 9:19 AM, David George Henderson III wrote:
Hello Steve,

I generally install Debian off of DVD or a *.iso copied to flash rather than an online repository.

    That way I get a reproducible install.

Recently, I found that my Debian 10.9 amd64 dvd-1 install stopped working on the Dell T1600 boot in UEFI mode.

    This is the machine that does not support secure boot.

The symptoms were that the install went as expected, but the boot failed complaining about MOK list being exhausted.

What I discovered was that security updates were being applied during the install off dvd:

    I noticed the message 'applying security updates' that flashed by briefly during the install from DVD.

   I surmise that the version of shim-signed in security.debian.org was being applied when the ethernet to the cable modem was plugged in.

   (the web site shows  shim-signed (1.36~1+deb10u1+15.4-5~deb10u1) in Debian 10 security )

An install if 10.9 off of the same dvd without the ethernet cable plugged in installed and booted normally.

    I'm surprised at this behavior. I would have expected that these updates would be applied after booting the installed system rather than during the install.

Using the Dell T1600 and the system installed with no ethernet cable connection:

     I copied the shim-signed file from the attachment below into /boot/efi/EFI/debian.

    Then I shut down and rebooted. I could not tell if a MOK message came up because something flashed by very quickly.

    Debian 10.9 booted up as expected.

I hope this fix makes it into the online security repository.



On 6/22/21 2:36 PM, Steve McIntyre wrote:
On Tue, Jun 22, 2021 at 09:20:36PM +0200, Grzegorz Szymaszek wrote:
On Tue, Jun 22, 2021 at 01:35:51PM +0200, Grzegorz Szymaszek wrote:
I have recently upgraded several buster amd64 machines; shim-signed went
up from 1.33 to 1.36~1+deb10u1. […]
FWIW, upgrading to 1.36~1+deb10u2 brings the problem back.

Looks like the same as #990158.
Yes, it's the same problem. I'm testing a fix now. Could you please
verify if this new build fixes the problem you're seeing on your


has a new *unsigned* amd64 shim binary, and a checksum file. If you
would be so kind, please copy that shimx64.efi binary into place on
your system and test it boots OK. It may still complain about resource
failures and "import_mok_state() failed", but should then boot anyway
in non-secure mode.

Reply to: