Bug#991478: [shim-signed] RFE: do not brick users' systems in the stable distribution

[Steve McIntyre <steve@einval.com>]

On Sun, Jul 25, 2021 at 08:19:55PM +0500, Roman Mamedov wrote:
>On Sun, 25 Jul 2021 12:43:48 +0100
>Steve McIntyre <steve@einval.com> wrote:
>
>> Which provider is using secure boot on arm64 at this point? I've not
>> heard of any. Can you share details of package versions etc. for that
>> please?
>
>It is the Oracle Cloud.
>
>Actually I am not certain they use secure boot, or that the lack of signature
>is the issue. According to serial console, the issue was a fatal crash in the
>UEFI boot loader (TianoCore). So I assumed it could be because it did not find
>the signature it was expecting to validate.

OK. I think I know what the problem is here. See below...

>Unfortunately I did not save the crash messages and cannot reproduce it for
>now, as I am not longer able to start my instances due to "Out of host
>capacity" at the provider.
>
>As for the package versions, I was using the vanilla Debian Buster.

OK, thanks for that information.

In your next mail, I can see your log shows shim-signed version
1.36~1+deb10u1+15.4-5~deb10u1. Despite testing that version on various
arm64 platforms before release, *after* the 10.10 point release we
found that version can also crash and fail to boot in some
circumstances. I think that's your problem here. :-(

When we found that problem, as an immediate workaround I released a
newer shim-signed package into the buster-updates repo which solves
it: version 1.36~1+deb10u2+15.4-5~deb10u1 (note the
deb10u1->deb10u2). I can see that your system is showing
buster-updates in its list of package sources, so I'm very confused as
to what's happened there and why your system did not pick up the later
version. Argh!

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
“Why do people find DNS so difficult? It’s just cache invalidation and
 naming things.”
   -– Jeff Waugh (https://twitter.com/jdub)