Re: fbx64.efi hangs after Debian 10.10 shim update

To: Pascal Hambourg <pascal@plouf.fr.eu.org>
Cc: debian-efi@lists.debian.org
Subject: Re: fbx64.efi hangs after Debian 10.10 shim update
From: Steve McIntyre <steve@einval.com>
Date: Tue, 29 Jun 2021 15:14:00 +0100
Message-id: <[🔎] 20210629141400.GD1798@tack.einval.com>
In-reply-to: <[🔎] 4a7bed2a-f376-7300-17d4-668771d73fbc@plouf.fr.eu.org>
References: <[🔎] 63203d20-8a07-205a-ce2c-8784e0ee6148@plouf.fr.eu.org> <[🔎] 20210621174408.GS8685@tack.einval.com> <[🔎] 4158f017-d999-9537-66fb-1c74dd3289dd@plouf.fr.eu.org> <[🔎] 4a7bed2a-f376-7300-17d4-668771d73fbc@plouf.fr.eu.org>

Hey again Pascal,

On Sat, Jun 26, 2021 at 10:35:35AM +0200, Pascal Hambourg wrote:
>Le 21/06/2021 à 21:12, Pascal Hambourg a écrit :
>> 
>> shim.c:1727:shim_init() UEFI SHIM
>> $Version: 15.4 $
>> $BuildMachine: buildhost $
>> $Commit: XXXX $
>> shim.c:898:load_image() attempting to load \EFI\Boot\fbx64.efi
>> pe.c:574:generate_hash() sha1 authenticode hash:
>> pe.c:575:generate_hash() (2 lines of XX and hex codes)
>> pe.c:576:generate_hash() sha256 authenticode hash:
>> pe.c:577:generate_hash() (2 more lines of hex codes)
>> pe.c:1057:handle_image() sbat section base:0xB9DED000 size:0xC6
>
>More information :
>
>The firmware has two UEFI boot modes : Hybrid (with CSM) and Native (without
>CSM). In hybrid mode, secure boot is disabled. In native mode, secure boot
>can be enabled or disabled.

OK, that sounds normal.

>Until now I always used hybrid mode which allows either EFI and legacy BIOS
>boot. I discovered that the issue happens only in hybrid mode, not in native
>mode. In native mode with secure boot disabled, here are the next lines
>displayed after the above lines :
>
>shim.c:1926:efi_main() vendor_authorized:0xB9BA6010
>vendor_authorized_size:930
>shim.c:1928:efi_main() vendor_deauthorized:0xB9BA63B2
>vendor_deauthorized_size:8664
>sbat.c:346:set_sbat_uefi_variable() SbatLevel variable is 18 bytes,
>attributes are 0x00000003
>
>Then the blue frame "Secure boot not enabled" is displayed again (supposedly
>when \EFI\debian\shimx64.efi is executed).
>
>With secure mode enabled the frame is not displayed so it does not pause and
>allow me to see anything until GRUB menu is displayed.

ACK.

>FWIW, the latest shim-helpers-amd64-signed 1+15.4+6~deb10u1 from
>buster-proposed-updates did not fix the issue.

Right. Nothing has changed in the helpers for a while now, all the
recent changes have been in the shim binary only.

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
"I used to be the first kid on the block wanting a cranial implant,
 now I want to be the first with a cranial firewall. " -- Charlie Stross

Reply to:

References:
- fbx64.efi hangs after Debian 10.10 shim update
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>
- Re: fbx64.efi hangs after Debian 10.10 shim update
  - From: Steve McIntyre <steve@einval.com>
- Re: fbx64.efi hangs after Debian 10.10 shim update
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>
- Re: fbx64.efi hangs after Debian 10.10 shim update
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>

Prev by Date: Re: fbx64.efi hangs after Debian 10.10 shim update
Next by Date: Processing of shim-signed_1.37_source.changes
Previous by thread: Re: fbx64.efi hangs after Debian 10.10 shim update
Next by thread: Re: fbx64.efi hangs after Debian 10.10 shim update
Index(es):
- Date
- Thread