Bug#1088696: shim-signed: Update of shim-signed did not update /boot/EFI/EFI/debian/shimx64.efi
Hi Georg,
On Fri, Nov 29, 2024 at 05:51:43PM +0100, Georg Gast wrote:
>Package: shim-signed
>Version: 1.44~1+deb12u1+15.8-1~deb12u1
>Severity: normal
>
>Dear Maintainer,
>
>*** Reporter, please consider answering these questions, where appropriate ***
>
> * What led up to the situation?
>Since about 2 years i run my amd64 debian/bookworm with secureboot enabled.
>Some time ago my PC could not boot anymore as the secureboot let not start
>shimx64.efi anymore from by debian entry in UEFI.
>
> * What exactly did you do (or not do) that was effective (or
> ineffective)?
>I disabled secureboot in my UEFI and it booted again. For about three month i
>didnt care too much. Now i read about the bootkit.efi and i wanted to reenable
>it.
>Checked the sha1sums from the installed efi binaries in /boot/EFI/EFI/debian
>
>sha1sum /boot/EFI/EFI/debian/shimx64.efi
>3dd4abb9f7af061c1a7916f9c31f9e5d0be5558a /boot/EFI/EFI/debian/shimx64.efi
>
>This were the sha1sums from the installed shim-signed
>sha1sum /usr/lib/shim/shimx64.efi*
>b3ad049321cfbafe24ad16ba26cd38693ac4a34c /usr/lib/shim/shimx64.efi
>52f4735800ff01fb526a23e309a3bf3bf0d9b7b4 /usr/lib/shim/shimx64.efi.signed
>
>At this stage i run grub-install (as root) and /boot/EFI/EFI/debian/shimx64.efi
>had the same sha1sum as /usr/lib/shim/shimx64.efi.signed
>
> * What was the outcome of this action?
>Booted again.
>
>Now my question is: Is it intended that the efi binaries in
>/boot/EFI/EFI/debian/ are not updated? Is this a bug or a feature? If there is
>an update from shim-signed do i need to run grub-install manually or should it
>update by the upgrade process?
This should all work automatically for you, assuming you have
appropriate packages installed.
Could you please run the following and show us the output?
$ dpkg -l 'grub*' 'shim*'
--
Steve McIntyre, Cambridge, UK. steve@einval.com
We don't need no education.
We don't need no thought control.
Reply to: