Bug#989962: update to the version of shim-signed(Re: Bug#989962: shim-signed 1.36~1+deb10u1 fails to boot some systems)

[David George Henderson III <dgh@caltech.edu>]

Updated: the email is incorrect: this is the version shown in Debian 10 
security : shim-signed (1.36~1+deb10u2+15.4-5~deb10u1)

On 6/28/21 9:19 AM, David George Henderson III wrote:
> Hello Steve,
>
>
> I generally install Debian off of DVD or a *.iso copied to flash 
> rather than an online repository.
>
>     That way I get a reproducible install.
>
>
> Recently, I found that my Debian 10.9 amd64 dvd-1 install stopped 
> working on the Dell T1600 boot in UEFI mode.
>
>     This is the machine that does not support secure boot.
>
>
> The symptoms were that the install went as expected, but the boot 
> failed complaining about MOK list being exhausted.
>
>
> What I discovered was that security updates were being applied during 
> the install off dvd:
>
>     I noticed the message 'applying security updates' that flashed by 
> briefly during the install from DVD.
>
>    I surmise that the version of shim-signed in security.debian.org 
> was being applied when the ethernet to the cable modem was plugged in.
>
>    (the web site shows  shim-signed (1.36~1+deb10u1+15.4-5~deb10u1) in 
> Debian 10 security )
>
>
> An install if 10.9 off of the same dvd without the ethernet cable 
> plugged in installed and booted normally.
>
>     I'm surprised at this behavior. I would have expected that these 
> updates would be applied after booting the installed system rather 
> than during the install.
>
>
> Using the Dell T1600 and the system installed with no ethernet cable 
> connection:
>
>      I copied the shim-signed file from the attachment below into 
> /boot/efi/EFI/debian.
>
>     Then I shut down and rebooted. I could not tell if a MOK message 
> came up because something flashed by very quickly.
>
>     Debian 10.9 booted up as expected.
>
>
> I hope this fix makes it into the online security repository.
>
>
> David
>
>
> David
>
> On 6/22/21 2:36 PM, Steve McIntyre wrote:
> > On Tue, Jun 22, 2021 at 09:20:36PM +0200, Grzegorz Szymaszek wrote:
> > > On Tue, Jun 22, 2021 at 01:35:51PM +0200, Grzegorz Szymaszek wrote:
> > > > I have recently upgraded several buster amd64 machines; shim-signed 
> > > > went
> > > > up from 1.33 to 1.36~1+deb10u1. […]
> > > FWIW, upgrading to 1.36~1+deb10u2 brings the problem back.
> > >
> > > Looks like the same as #990158.
> > Yes, it's the same problem. I'm testing a fix now. Could you please
> > verify if this new build fixes the problem you're seeing on your
> > hardware?
> >
> >    https://people.debian.org/~93sam/shim/
> >
> > has a new *unsigned* amd64 shim binary, and a checksum file. If you
> > would be so kind, please copy that shimx64.efi binary into place on
> > your system and test it boots OK. It may still complain about resource
> > failures and "import_mok_state() failed", but should then boot anyway
> > in non-secure mode.