[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#992073: shim-signed: restore arm64 support

Package: shim-signed
Version: 1.38+15.4-7
Severity: normal
X-Debbugs-CC: debian-ci@lists.debian.org


Thanks for you work on shim-signed.

I have read both the package changelog and the NEWS file, and I
understand the reason for dropping the signed shim support for arm64.
I'm opening this bug to have a user-visible tracking of this issue.

Quoting NEWS for the benefit of others find this bug:

    shim-signed (1.34) unstable; urgency=medium

      Debian no longer supports UEFI Secure Boot on arm64 systems

      Shim and other EFI programs have always been difficult to build on
      arm64, compared to x86 platforms. Binutils for amd64 and i386
      includes explicit support for creating programs in the PE/COFF
      binary format that EFI uses, but this has never been added for

      In the past, shim developers added some local hacks into the shim
      package to generate a *mostly*-compliant PE/COFF EFI binary without
      this toolchain support, and that seemed to be sufficient for
      use. Everything seemed to work. *However*, during the development
      and testing phase of shim 15.3 and 15.4, we found significant
      issues with this approach. New security features needed in shim
      (SBAT) showed up severe problems with the lack of proper toolchain
      support. See https://github.com/rhboot/shim/issues/366 for more
      details. The old hacks around binutils are no longer sustainable.

      Statistics tell us that very few people have attempted to use arm64
      Secure Boot with Debian so far. In the interests of releasing needed
      updates in a timely manner, we have decided *for the time being* to
      disable signed shim support for Debian arm64.

      We hope to re-introduce arm64 Secure Boot support as soon as
      possible in the future.

As a data point, the Huawei cloud infra where ci.debian.net runs arm64
workers (for arm*) does use Secure Boot on arm64, and applying security
updates broke our machines there.

Attachment: signature.asc
Description: PGP signature

Reply to: