• WARNING! shim-signed on arm64 in buster may fail to boot

    From Steve McIntyre@21:1/5 to All on Mon Jun 21 11:50:02 2021
    Hi folks,

    In testing of the 10.10. point release over the weekend, we found a
    significant problem with shim-signed on arm64.

    In pre-release testing I found problems with shim on signed versions
    of shim on arm64. The shim binary crashes very early (Synchronous
    Exception). Because of that problem, I took the hard decision to
    disable Secure Boot support for arm64 in Debian Buster until a
    solution could be found:

    https://wiki.debian.org/SecureBoot#arm64_problems

    In testing a new build to go into Buster, I found that non-signed
    versions were working fine on various machines. Unfortunately, it
    seems that the boot issues might be affected by environment. Trying
    the same binary build on Saturday as part of the 10.10 point release,
    booting an installer image crashes repeatably in a VM. It also seems
    that at least one of Debian's own arm64 hosts has been similarly
    affected. :-(

    Arm64 users are **strongly** advised to be careful about upgrading to
    the latest Buster point release (10.10). If upgrading immediately, it
    is recommended to disable remove shim-signed and reinstall GRUB on those systems to ensure that they will continue to boot:

    # apt-get remove shim-signed
    # dpkg --reconfigure grub-efi-amd64

    and disable Secure Boot in their system firmware if it's enabled.

    I'm working on a more user-friendly fix now, and I hope to push it out
    via the buster-updates archive shortly. This will still not be
    *working* Secure Boot for arm64, as we're still awaiting better
    toolchain support to make that work.

    --
    Steve McIntyre, Cambridge, UK. steve@einval.com "...In the UNIX world, people tend to interpret `non-technical user'
    as meaning someone who's only ever written one device driver." -- Daniel Pead

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Steve McIntyre@21:1/5 to Steve McIntyre on Mon Jun 21 17:20:01 2021
    Hi again,

    On Mon, Jun 21, 2021 at 10:46:53AM +0100, Steve McIntyre wrote:

    In testing of the 10.10. point release over the weekend, we found a >significant problem with shim-signed on arm64.

    ...

    I'm working on a more user-friendly fix now, and I hope to push it out
    via the buster-updates archive shortly. This will still not be
    *working* Secure Boot for arm64, as we're still awaiting better
    toolchain support to make that work.

    We've now released an update for shim-signed which should solve this
    problem:

    https://lists.debian.org/debian-stable-announce/2021/06/msg00001.html

    Apologies for any hassle caused. :-(

    --
    Steve McIntyre, Cambridge, UK. steve@einval.com You lock the door
    And throw away the key
    There's someone in my head but it's not me

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Arne Ploese@21:1/5 to All on Tue Jun 22 10:30:02 2021
    Hi Steve,
    the install images (i.e. https://cdimage.debian.org/debian-cd/current/arm64/iso-cd/debian-10.10.0-arm64-netinst.iso)
    are outdated too. I hit the bug after upgrading, and tried to install
    it fresh - but got the same error :-).

    Arne


    Am Montag, dem 21.06.2021 um 16:10 +0100 schrieb Steve McIntyre:
    Hi again,

    On Mon, Jun 21, 2021 at 10:46:53AM +0100, Steve McIntyre wrote:

    In testing of the 10.10. point release over the weekend, we found a significant problem with shim-signed on arm64.

    ...

    I'm working on a more user-friendly fix now, and I hope to push it
    out
    via the buster-updates archive shortly. This will still not be
    *working* Secure Boot for arm64, as we're still awaiting better
    toolchain support to make that work.

    We've now released an update for shim-signed which should solve this
    problem:

     
    https://lists.debian.org/debian-stable-announce/2021/06/msg00001.html

    Apologies for any hassle caused. :-(


    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Steve McIntyre@21:1/5 to Arne Ploese on Tue Jun 22 22:00:01 2021
    On Tue, Jun 22, 2021 at 10:20:52AM +0200, Arne Ploese wrote:
    Hi Steve,
    the install images (i.e. >https://cdimage.debian.org/debian-cd/current/arm64/iso-cd/debian-10.10.0-arm64-netinst.iso)
    are outdated too. I hit the bug after upgrading, and tried to install
    it fresh - but got the same error :-).

    Yup. I'll have to respin the installer images soon. I'm also looking
    at another shim upload, so I'm probably going to wait for that yet.

    --
    Steve McIntyre, Cambridge, UK. steve@einval.com "This dress doesn't reverse." -- Alden Spiess

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)