Bug#991478: [shim-signed] RFE: do not brick users' systems in the stable distribution
On Sun, Jul 25, 2021 at 08:19:55PM +0500, Roman Mamedov wrote:
>On Sun, 25 Jul 2021 12:43:48 +0100
>Steve McIntyre <firstname.lastname@example.org> wrote:
>> Which provider is using secure boot on arm64 at this point? I've not
>> heard of any. Can you share details of package versions etc. for that
>It is the Oracle Cloud.
>Actually I am not certain they use secure boot, or that the lack of signature
>is the issue. According to serial console, the issue was a fatal crash in the
>UEFI boot loader (TianoCore). So I assumed it could be because it did not find
>the signature it was expecting to validate.
OK. I think I know what the problem is here. See below...
>Unfortunately I did not save the crash messages and cannot reproduce it for
>now, as I am not longer able to start my instances due to "Out of host
>capacity" at the provider.
>As for the package versions, I was using the vanilla Debian Buster.
OK, thanks for that information.
In your next mail, I can see your log shows shim-signed version
1.36~1+deb10u1+15.4-5~deb10u1. Despite testing that version on various
arm64 platforms before release, *after* the 10.10 point release we
found that version can also crash and fail to boot in some
circumstances. I think that's your problem here. :-(
When we found that problem, as an immediate workaround I released a
newer shim-signed package into the buster-updates repo which solves
it: version 1.36~1+deb10u2+15.4-5~deb10u1 (note the
deb10u1->deb10u2). I can see that your system is showing
buster-updates in its list of package sources, so I'm very confused as
to what's happened there and why your system did not pick up the later
Steve McIntyre, Cambridge, UK. email@example.com
“Why do people find DNS so difficult? It’s just cache invalidation and
-– Jeff Waugh (https://twitter.com/jdub)