Bug#1108278: shim-signed: Asks to disable EFI Secure Boot with enrolled DKMS key
Control: forcemerge -1 989460 1082012
Hi!
On Tue, 2025-06-24 at 19:04:38 +0200, Guillem Jover wrote:
> Package: shim-signed-common
> Version: 1.46
> Severity: important
> [ Given that this seems security sensitive, I've set it to important,
> but feel free to lower or rise it as you deem fit. ]
> If I've not gotten the origin of the problem incorrectly, the recent
> shim-signed upgrade caused a debconf prompt to pop up (I think from
> update-secureboot-policy (?)) asking to disable the EFI Secure Boot
> for next boot, stating that otherwise kernel modules for third parties
> might become unusable.
>
> But some time ago (probably after the last shim-signed upload) I
> enrolled the DKMS signing keys via the instructions from
> <https://wiki.debian.org/SecureBoot#DKMS_and_Secure_Boot>, so I'd
> expect no such debconf message to pop up, as I was initially very
> confused, and thought there was perhaps a breaking change in that
> shim-signed version that would cause that, and that the next boot
> would cause modules to stop working, which would instead lower
> the security of the system.
Sorry! I was only checking the shim bug reports, until I realized the
involved script was coming from shim-signed, when I changed the
metadata but then didn't check its already filed reports. I then saw
this has been filed multiple times, with also related (but not same)
reports such as #989463 and #1081749.
Thanks,
Guillem
Reply to: