1. Forum
  2. Usenet
  3. LINUX.DEBIAN.DEVEL.RELEAS

  • Analysis: mismatched shim* packages vs. debian-installer (opu/pu)

    From Cyril Brulebois@21:1/5 to All on Thu Sep 8 16:20:01 2022
    XPost: linux.debian.maint.boot

    Hi,

    This is just a summary (TL;DR at the bottom) of my findings from the
    past few days, while preparing d-i for the upcoming point releases. I
    thought I would share in case anyone (e.g. future self) wonders what
    might happen again in the future if we get unlucky again. I'll focus on bullseye but buster is similar.

    I've said a few times to my fellow release team members that packages in (old-)proposed-updates could be accepted without an explicit ACK from me
    since we could side-step buggy packages by feeding our apt calls some
    pinning, preferring udebs from (old-)stable over those in (old-)p-u if
    we spotted some problems during pre-upload building and testing.

    That doesn't work for packages that we list in Build-Depends, and
    buildds have (old-)p-u configured, so we end up pulling packages from
    there as long as they're installable.

    For shim* packages, that means the following, mismatched packages when
    building the debian-installer package:

    Get: 138 http://deb.debian.org/debian bullseye-proposed-updates/main amd64 shim-unsigned amd64 15.6-1~deb11u1 [439 kB]
    Get: 139 http://deb.debian.org/debian bullseye-proposed-updates/main amd64 shim-helpers-amd64-signed amd64 1+15.6+1~deb11u1 [301 kB]
    Get: 140 http://deb.debian.org/debian bullseye/main amd64 shim-signed-common all 1.38+15.4-7 [13.6 kB]
    Get: 141 http://deb.debian.org/debian bullseye/main amd64 shim-signed amd64 1.38+15.4-7 [320 kB]

    It's likely affecting all architectures where the d-i build pulls shim
    packages (but I didn't check further than amd64):

    shim-signed [amd64 i386 arm64]

    To be extra sure, I've tried putting version restrictions to stick
    to bullseye packages, but sbuild/apt bail out with broken packages,
    as expected:

    sbuild-build-depends-main-dummy : Depends: shim-unsigned (< 15.6-1~deb11u1) but 15.6-1~deb11u1 is to be installed
    Depends: shim-helpers-amd64-signed (< 1+15.6+1~deb11u1) but 1+15.6+1~deb11u1 is to be installed

    I've verified two things:
    - switching to the non-default aptitude resolver lets sbuild find a
    solution, but that could have other side effects (that I didn't
    investigate);
    - introducing pinning in the chroot configuration lets us stick to
    bullseye packages, affecting only shim* packages.

    Of course, both rely on having admins around to tweak the config for
    that particular build, which is far from ideal.


    Let's see what shim packages look like:

    1. shim-unsigned /usr/lib/shim/BOOTX64.CSV
    shim-unsigned /usr/lib/shim/fbx64.efi
    shim-unsigned /usr/lib/shim/mmx64.efi
    shim-unsigned /usr/lib/shim/shimx64.efi
    2. shim-helpers-amd64-signed /usr/lib/shim/fbx64.efi.signed
    shim-helpers-amd64-signed /usr/lib/shim/mmx64.efi.signed
    3. shim-signed /usr/lib/shim/shimx64.efi.signed
    4. shim-signed-common /usr/sbin/update-secureboot-policy

    And the combination above is permitted due to lax version dependencies.
    As far as I understand (and `sbverify --list` on each `*.signed` file
    seems to agree), (1) gets uploaded, results in (2) getting signatures
    from the Debian infrastructure; while (3) and (4) need manual MS
    approval and signature.

    In the debian-installer tree, after a build, there are no traces of shim anywhere, which was a bit surprising at first; but it turns out that build/util/efi-image is the sole user of shim files, and it concentrates
    on /usr/lib/shim/shim<arch>.efi.signed, from the shim-signed binary, but copying it under a different name in the build tree:
    https://salsa.debian.org/installer-team/debian-installer/-/blob/20210731+deb11u5/build/util/efi-image#L147-148
    https://salsa.debian.org/installer-team/debian-installer/-/blob/20210731+deb11u5/build/util/efi-image#L156-157

    TL;DR: Everything matches what was already assessed by Steve McIntyre: mismatched shim* packages shouldn't be an issue from a d-i perspective,
    we're “just using the old shim” (sorry, buster…).


    Cheers,
    --
    Cyril Brulebois (kibi@debian.org) <https://debamax.com/>
    D-I release manager -- Release team member -- Freelance Consultant

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEtg6/KYRFPHDXTPR4/5FK8MKzVSAFAmMZ+SoACgkQ/5FK8MKz VSBiBQ//ewSk05DpFYFISgejCQbLpEp6arWfuBPigsE6iMUEg0zq0prhmdJ6SnPT HIOG/7QOLwmoNVia136D0FEZJou3xCFUoq8bSD63g1vR7j/bZ5OoSSYPCm5bWjFL ILr5vTiDH4FUoNCnuJZmdr/qOPdfKrMEhputQqHME6W6U300+2dtgzWmjMx/Rfzw 0+6kn3ISonBwXXCCXogyiiLQaGQpecTd/KBzF7vBrY0/H/oT8FAPypaexvmw0q3P jU59FOvz+390pKVI5JB8qREGZRc+J7ULfatBCqFWSrxPIgy40dKaqm6E5cu0zMDf waxpvNl1ZMMRHic2wMwChXmioeb42sp66r4zaOAOb5WFJb+LTbk2UQkW+vC2DNRt fGACqNFHlDj4pKm93jIQMLSnAUQ+Blgto8gGcbd2UrFRGjbv0cQvoZLswDeT1Zp/ fHVwX9HO7Jf3LNBfS1ycKEk6QdK2mCYOi1U34sJ+ehF2DWPyidjOYLT5rHdXloZq LLvx7t5vfk9F/ICoMwQ0JHhzaUFssknSlYcEuaibk365teNlvmLOQXBI6rcmwqi3 oSBGkDvem9sjScE/I/6yqLgT0lYLRvUQfVwGA5UtAYxbhzs1FnIRkvtDp47EDVkA i572ZAd2YyRnlu0gaygl0k6hE1TVh8v+coMaXJxDhFwzVw7muGU=
    =0iql
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    *
  • From Steve McIntyre@21:1/5 to Cyril Brulebois on Thu Sep 8 16:40:02 2022
    XPost: linux.debian.maint.boot

    Thanks for the analysis and confirmation! :-)

    On Thu, Sep 08, 2022 at 04:16:16PM +0200, Cyril Brulebois wrote:
    Hi,

    This is just a summary (TL;DR at the bottom) of my findings from the
    past few days, while preparing d-i for the upcoming point releases. I
    thought I would share in case anyone (e.g. future self) wonders what
    might happen again in the future if we get unlucky again. I'll focus on >bullseye but buster is similar.

    I've said a few times to my fellow release team members that packages in >(old-)proposed-updates could be accepted without an explicit ACK from me >since we could side-step buggy packages by feeding our apt calls some >pinning, preferring udebs from (old-)stable over those in (old-)p-u if
    we spotted some problems during pre-upload building and testing.

    That doesn't work for packages that we list in Build-Depends, and
    buildds have (old-)p-u configured, so we end up pulling packages from
    there as long as they're installable.

    For shim* packages, that means the following, mismatched packages when >building the debian-installer package:

    Get: 138 http://deb.debian.org/debian bullseye-proposed-updates/main amd64 shim-unsigned amd64 15.6-1~deb11u1 [439 kB]
    Get: 139 http://deb.debian.org/debian bullseye-proposed-updates/main amd64 shim-helpers-amd64-signed amd64 1+15.6+1~deb11u1 [301 kB]
    Get: 140 http://deb.debian.org/debian bullseye/main amd64 shim-signed-common all 1.38+15.4-7 [13.6 kB]
    Get: 141 http://deb.debian.org/debian bullseye/main amd64 shim-signed amd64 1.38+15.4-7 [320 kB]

    It's likely affecting all architectures where the d-i build pulls shim >packages (but I didn't check further than amd64):

    shim-signed [amd64 i386 arm64]

    To be extra sure, I've tried putting version restrictions to stick
    to bullseye packages, but sbuild/apt bail out with broken packages,
    as expected:

    sbuild-build-depends-main-dummy : Depends: shim-unsigned (< 15.6-1~deb11u1) but 15.6-1~deb11u1 is to be installed
    Depends: shim-helpers-amd64-signed (< 1+15.6+1~deb11u1) but 1+15.6+1~deb11u1 is to be installed

    I've verified two things:
    - switching to the non-default aptitude resolver lets sbuild find a
    solution, but that could have other side effects (that I didn't
    investigate);
    - introducing pinning in the chroot configuration lets us stick to
    bullseye packages, affecting only shim* packages.

    Of course, both rely on having admins around to tweak the config for
    that particular build, which is far from ideal.


    Let's see what shim packages look like:

    1. shim-unsigned /usr/lib/shim/BOOTX64.CSV
    shim-unsigned /usr/lib/shim/fbx64.efi
    shim-unsigned /usr/lib/shim/mmx64.efi
    shim-unsigned /usr/lib/shim/shimx64.efi
    2. shim-helpers-amd64-signed /usr/lib/shim/fbx64.efi.signed
    shim-helpers-amd64-signed /usr/lib/shim/mmx64.efi.signed
    3. shim-signed /usr/lib/shim/shimx64.efi.signed
    4. shim-signed-common /usr/sbin/update-secureboot-policy

    And the combination above is permitted due to lax version dependencies.
    As far as I understand (and `sbverify --list` on each `*.signed` file
    seems to agree), (1) gets uploaded, results in (2) getting signatures
    from the Debian infrastructure; while (3) and (4) need manual MS
    approval and signature.

    In the debian-installer tree, after a build, there are no traces of shim >anywhere, which was a bit surprising at first; but it turns out that >build/util/efi-image is the sole user of shim files, and it concentrates
    on /usr/lib/shim/shim<arch>.efi.signed, from the shim-signed binary, but >copying it under a different name in the build tree:
    https://salsa.debian.org/installer-team/debian-installer/-/blob/20210731+deb11u5/build/util/efi-image#L147-148
    https://salsa.debian.org/installer-team/debian-installer/-/blob/20210731+deb11u5/build/util/efi-image#L156-157

    TL;DR: Everything matches what was already assessed by Steve McIntyre: >mismatched shim* packages shouldn't be an issue from a d-i perspective,
    we're “just using the old shim” (sorry, buster…).


    Cheers,
    --
    Cyril Brulebois (kibi@debian.org) <https://debamax.com/>
    D-I release manager -- Release team member -- Freelance Consultant


    --
    Steve McIntyre, Cambridge, UK. steve@einval.com "War does not determine who is right - only who is left."
    -- Bertrand Russell

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Cyril Brulebois@21:1/5 to All on Thu Sep 8 21:40:02 2022
    XPost: linux.debian.maint.boot

    Cyril Brulebois <kibi@debian.org> (2022-09-08):
    TL;DR: Everything matches what was already assessed by Steve McIntyre: mismatched shim* packages shouldn't be an issue from a d-i perspective,
    we're “just using the old shim” (sorry, buster…).

    Furthermore, I've just checked on two laptops (Dell G3 and Asus
    VivoBook):
    - that their firmware config really requires Secure Boot (stretch's
    d-i wouldn't boot);
    - that bullseye's d-i (build similar to what I tested with VMs,
    except with extra lib/firmware/*) boots fine;
    - and that a full encrypted LVM installation works fine.


    Cheers,
    --
    Cyril Brulebois (kibi@debian.org) <https://debamax.com/>
    D-I release manager -- Release team member -- Freelance Consultant

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEtg6/KYRFPHDXTPR4/5FK8MKzVSAFAmMaRE8ACgkQ/5FK8MKz VSBfuhAAjLXfnrtybDh266ccFtDlW9q+EsCuqVdrOQVznxkz1pXG+XrVXDLoRG9H IPzGNRZvrtY+9NZ5mDufIFrMh+pCm2PWYFmyIeHy+koTbDJuaNPVYK3DW4Q5M/yX CZwcmNvQZeTeAju7XhL8MPqFb+/BGQzjy80Gtmv8cTL0xKjWyrsnjhZldlXyxTg5 IH4bxdfg7z+HoV/GSAfvEW+rmHK1Sz6RiiU2nXBI8pe4Qr5r0RvT7WHr0ZN8o8Hv paD6cN64kJbjswf6lPuwYjwrdO0xvcTGRt/WlLIQoom0OnJ2YI9bA254dW2pZtdx 6VZ3PeGyZFDtdnk6w0YcQnxmkuRjxLDRBDuJzaYym04m3FQ9avrxy8k0drw1O3uF s9fVYMhlcTzKjdLHBB0ay7iUbKQ5r3LnoFKJ/l+HZCtFIoV2SO8XUo6qbkxdErU0 dD1yp1vSzWxKExcfYZqma709gdxwfZ6FYGXHMUWj7IYDRijQDCNcZQpskCvxORDv Ox3+2c3rbgzBt3wd1cG6o/CHRi5j3jPf0FS5yN0Ab1vw6t8FbOUGRI8p4R3Z2S24 3PggN3tEA6Ssp3f3Mm1zhgjlFxfkiic/lY2fGEu9V71Gf5Z9OCNDEz2MItsNTuxP 61dXW999BULxojoWlCP6uAgRv1/7p7JoJJ9+a5PlNoIka5hPv2E=
    =CbnN
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    *