[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#989962: shim-signed 1.36~1+deb10u1 fails to boot some systems

[ please keep the bug report in CC, I'm not the only person who might be
  reading this! ]

On Mon, Jun 28, 2021 at 09:19:48AM -0700, David George Henderson III wrote:
>
>I generally install Debian off of DVD or a *.iso copied to flash rather than
>an online repository.
>
>    That way I get a reproducible install.
>
>Recently, I found that my Debian 10.9 amd64 dvd-1 install stopped working on
>the Dell T1600 boot in UEFI mode.
>
>    This is the machine that does not support secure boot.
>
>
>The symptoms were that the install went as expected, but the boot failed
>complaining about MOK list being exhausted.

OK, that's the problem we're seeing on a few machines. Typically older
ones (like your Dell) with quite limited EFI variable space.

>What I discovered was that security updates were being applied during the
>install off dvd:
>
>    I noticed the message 'applying security updates' that flashed by briefly
>during the install from DVD.
>
>   I surmise that the version of shim-signed in security.debian.org was being
>applied when the ethernet to the cable modem was plugged in.
>
>   (the web site shows  shim-signed (1.36~1+deb10u1+15.4-5~deb10u1) in Debian
>10 security )

Yup, that would be it.

>An install if 10.9 off of the same dvd without the ethernet cable plugged in
>installed and booted normally.
>
>    I'm surprised at this behavior. I would have expected that these updates
>would be applied after booting the installed system rather than during the
>install.

If at all possible, we try to install all security updates as soon as
they're available. If you give the installer network access at all, it
will look for security updates by default even if you don't configure
a mirror for normal package installation. You've unfortunately hit one
of the exceedingly rare cases where that bites us. :-(

>Using the Dell T1600 and the system installed with no ethernet cable
>connection:
>
>     I copied the shim-signed file from the attachment below into
>/boot/efi/EFI/debian.
>
>    Then I shut down and rebooted. I could not tell if a MOK message came up
>because something flashed by very quickly.
>
>    Debian 10.9 booted up as expected.

Cool, that's as expected.

>I hope this fix makes it into the online security repository.

I'm just waiting on a signed shim binary to come back from Microsoft
then we'll be pushing another round of shim/shim-signed updates out to users.

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
"Because heaters aren't purple!" -- Catherine Pitt
Reply to: