Debian Bug report logs - #991478
shim-signed in buster fails to boot on Oracle Cloud arm64 with fatal crash in TianoCore

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Roman Mamedov <rm@romanrm.net>

To: submit@bugs.debian.org

Subject: [shim-signed] RFE: do not brick users' systems in the stable distribution

Date: Sun, 25 Jul 2021 16:01:23 +0500

Package: shim-signed
Severity: grave

Starting from 1.34~1+deb10u1 and its corresponding "***WARNING***", now the
arm64 shim "is no longer signed".

As a result, after a mundane package upgrade and a reboot, all of my remote
arm64 machines do not boot anymore. I was not aware that the cloud provider
actually uses this "secure boot", else I'd pay more attention to that
"WARNING".

In any case, relying on the user reading upgrade notes, and then to scramble
rolling back the upgrade and holding the affected package ASAP, else the
system is bricked, is not a responsible package policy.

I would humbly suggest that you kept the latest signed version frozen at least
in "buster" with no further updates, until the signing issue is resolved. Or
as of now, release another update with the signed version in place.

P.S. just noticed 1.36~1+deb10u2 tried to do something about the boot breakage
- evidently that did not help.

-- 
With respect,
Roman

Message #10 received at 991478@bugs.debian.org (full text, mbox, reply):

From: Steve McIntyre <steve@einval.com>

To: Roman Mamedov <rm@romanrm.net>, 991478@bugs.debian.org

Subject: Re: Bug#991478: [shim-signed] RFE: do not brick users' systems in the stable distribution

Date: Sun, 25 Jul 2021 12:43:48 +0100

Hi Roman,

On Sun, Jul 25, 2021 at 04:01:23PM +0500, Roman Mamedov wrote:
>Package: shim-signed
>Severity: grave
>
>Starting from 1.34~1+deb10u1 and its corresponding "***WARNING***", now the
>arm64 shim "is no longer signed".
>
>As a result, after a mundane package upgrade and a reboot, all of my remote
>arm64 machines do not boot anymore. I was not aware that the cloud provider
>actually uses this "secure boot", else I'd pay more attention to that
>"WARNING".

Which provider is using secure boot on arm64 at this point? I've not
heard of any. Can you share details of package versions etc. for that
please?

>In any case, relying on the user reading upgrade notes, and then to scramble
>rolling back the upgrade and holding the affected package ASAP, else the
>system is bricked, is not a responsible package policy.
>
>I would humbly suggest that you kept the latest signed version frozen at least
>in "buster" with no further updates, until the signing issue is resolved. Or
>as of now, release another update with the signed version in place.

Sorry, but that's not an option - the older version of shim left
multiple high-security issues open, allowing people to easily break
into a Secure Boot setup.

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
'There is some grim amusement in watching Pence try to run the typical
 "politician in the middle of a natural disaster" playbook, however
 incompetently, while Trump scribbles all over it in crayon and eats some
 of the pages.'   -- Russ Allbery

Message #15 received at 991478@bugs.debian.org (full text, mbox, reply):

From: Roman Mamedov <rm@romanrm.net>

To: Steve McIntyre <steve@einval.com>

Cc: 991478@bugs.debian.org

Subject: Re: Bug#991478: [shim-signed] RFE: do not brick users' systems in the stable distribution

Date: Sun, 25 Jul 2021 20:19:55 +0500

On Sun, 25 Jul 2021 12:43:48 +0100
Steve McIntyre <steve@einval.com> wrote:

> Which provider is using secure boot on arm64 at this point? I've not
> heard of any. Can you share details of package versions etc. for that
> please?

It is the Oracle Cloud.

Actually I am not certain they use secure boot, or that the lack of signature
is the issue. According to serial console, the issue was a fatal crash in the
UEFI boot loader (TianoCore). So I assumed it could be because it did not find
the signature it was expecting to validate.

Unfortunately I did not save the crash messages and cannot reproduce it for
now, as I am not longer able to start my instances due to "Out of host
capacity" at the provider.

As for the package versions, I was using the vanilla Debian Buster.

-- 
With respect,
Roman

Message #20 received at 991478@bugs.debian.org (full text, mbox, reply):

From: Roman Mamedov <rm@romanrm.net>

To: Steve McIntyre <steve@einval.com>

Cc: 991478@bugs.debian.org

Subject: Re: Bug#991478: [shim-signed] RFE: do not brick users' systems in the stable distribution

Date: Sun, 25 Jul 2021 20:22:48 +0500

On Sun, 25 Jul 2021 20:19:55 +0500
Roman Mamedov <rm@romanrm.net> wrote:

> As for the package versions, I was using the vanilla Debian Buster.

Here is the log of the upgrade after which it no longer booted up:

Hit:1 https://deb.debian.org/debian-security buster/updates InRelease
Hit:2 https://deb.debian.org/debian buster InRelease
Get:3 https://deb.debian.org/debian buster-backports InRelease [46.7 kB]
Get:4 https://deb.debian.org/debian buster-updates InRelease [51.9 kB]
Get:5 https://deb.debian.org/debian buster-backports/main arm64 Packages.diff/Index [27.8 kB]
Get:6 https://deb.debian.org/debian buster-backports/main arm64 Packages 2021-07-25-0801.36.pdiff [950 B]
Get:6 https://deb.debian.org/debian buster-backports/main arm64 Packages 2021-07-25-0801.36.pdiff [950 B]
Fetched 127 kB in 1s (147 kB/s)
Reading package lists... Done
The following NEW packages will be installed:
  linux-image-5.10.0-0.bpo.7-arm64{a} 
The following packages will be upgraded:
  base-files isc-dhcp-client isc-dhcp-common klibc-utils libgcrypt20 libgnutls30 libgssapi-krb5-2 libhogweed4 libk5crypto3 libklibc 
  libkrb5-3 libkrb5support0 libnettle6 libsystemd0 libudev1 linux-image-arm64 shim-helpers-arm64-signed shim-signed 
  shim-signed-common shim-unsigned udev 
The following packages are RECOMMENDED but will NOT be installed:
  krb5-locales 
21 packages upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 51.2 MB of archives. After unpacking 256 MB will be used.
Do you want to continue? [Y/n/?] y
Get: 1 https://deb.debian.org/debian buster/main arm64 base-files arm64 10.3+deb10u10 [69.9 kB]
Get: 2 https://deb.debian.org/debian-security buster/updates/main arm64 libsystemd0 arm64 241-7~deb10u8 [314 kB]
Get: 3 https://deb.debian.org/debian-security buster/updates/main arm64 udev arm64 241-7~deb10u8 [1244 kB]
Get: 4 https://deb.debian.org/debian-security buster/updates/main arm64 libudev1 arm64 241-7~deb10u8 [146 kB]
Get: 5 https://deb.debian.org/debian buster/main arm64 libgcrypt20 arm64 1.8.4-5+deb10u1 [488 kB]
Get: 6 https://deb.debian.org/debian-security buster/updates/main arm64 libnettle6 arm64 3.4.1-1+deb10u1 [225 kB]
Get: 7 https://deb.debian.org/debian-security buster/updates/main arm64 libhogweed4 arm64 3.4.1-1+deb10u1 [138 kB]
Get: 8 https://deb.debian.org/debian buster/main arm64 libgnutls30 arm64 3.6.7-4+deb10u7 [1062 kB]
Get: 9 https://deb.debian.org/debian buster/main arm64 isc-dhcp-client arm64 4.4.1-2+deb10u1 [328 kB]
Get: 10 https://deb.debian.org/debian buster/main arm64 isc-dhcp-common arm64 4.4.1-2+deb10u1 [144 kB]
Get: 11 https://deb.debian.org/debian-security buster/updates/main arm64 libgssapi-krb5-2 arm64 1.17-3+deb10u2 [150 kB]
Get: 12 https://deb.debian.org/debian-security buster/updates/main arm64 libkrb5-3 arm64 1.17-3+deb10u2 [351 kB]
Get: 13 https://deb.debian.org/debian-security buster/updates/main arm64 libkrb5support0 arm64 1.17-3+deb10u2 [64.9 kB]
Get: 14 https://deb.debian.org/debian-security buster/updates/main arm64 libk5crypto3 arm64 1.17-3+deb10u2 [123 kB]
Get: 15 https://deb.debian.org/debian buster/main arm64 klibc-utils arm64 2.0.6-1+deb10u1 [99.3 kB]
Get: 16 https://deb.debian.org/debian buster/main arm64 libklibc arm64 2.0.6-1+deb10u1 [57.1 kB]
Get: 17 https://deb.debian.org/debian buster-backports/main arm64 linux-image-5.10.0-0.bpo.7-arm64 arm64 5.10.40-1~bpo10+1 [45.4 MB]
Get: 18 https://deb.debian.org/debian buster-backports/main arm64 linux-image-arm64 arm64 5.10.40-1~bpo10+1 [1464 B]
Get: 19 https://deb.debian.org/debian buster/main arm64 shim-unsigned arm64 15.4-5~deb10u1 [342 kB]
Get: 20 https://deb.debian.org/debian buster/main arm64 shim-helpers-arm64-signed arm64 1+15.4+5~deb10u1 [234 kB]
Get: 21 https://deb.debian.org/debian buster/main arm64 shim-signed arm64 1.36~1+deb10u1+15.4-5~deb10u1 [247 kB]
Get: 22 https://deb.debian.org/debian buster/main arm64 shim-signed-common all 1.36~1+deb10u1+15.4-5~deb10u1 [13.3 kB]
Fetched 51.2 MB in 1s (47.3 MB/s)                
Reading changelogs... Done
apt-listchanges: Mailing root: apt-listchanges: news for XXXXXXXX
Preconfiguring packages ...
(Reading database ... 26475 files and directories currently installed.)
Preparing to unpack .../base-files_10.3+deb10u10_arm64.deb ...
Unpacking base-files (10.3+deb10u10) over (10.3+deb10u9) ...
Setting up base-files (10.3+deb10u10) ...
Installing new version of config file /etc/debian_version ...
(Reading database ... 26475 files and directories currently installed.)
Preparing to unpack .../libsystemd0_241-7~deb10u8_arm64.deb ...
Unpacking libsystemd0:arm64 (241-7~deb10u8) over (241-7~deb10u7) ...
Setting up libsystemd0:arm64 (241-7~deb10u8) ...
(Reading database ... 26475 files and directories currently installed.)
Preparing to unpack .../udev_241-7~deb10u8_arm64.deb ...
Unpacking udev (241-7~deb10u8) over (241-7~deb10u7) ...
Preparing to unpack .../libudev1_241-7~deb10u8_arm64.deb ...
Unpacking libudev1:arm64 (241-7~deb10u8) over (241-7~deb10u7) ...
Setting up libudev1:arm64 (241-7~deb10u8) ...
(Reading database ... 26475 files and directories currently installed.)
Preparing to unpack .../libgcrypt20_1.8.4-5+deb10u1_arm64.deb ...
Unpacking libgcrypt20:arm64 (1.8.4-5+deb10u1) over (1.8.4-5) ...
Setting up libgcrypt20:arm64 (1.8.4-5+deb10u1) ...
(Reading database ... 26475 files and directories currently installed.)
Preparing to unpack .../libnettle6_3.4.1-1+deb10u1_arm64.deb ...
Unpacking libnettle6:arm64 (3.4.1-1+deb10u1) over (3.4.1-1) ...
Setting up libnettle6:arm64 (3.4.1-1+deb10u1) ...
(Reading database ... 26475 files and directories currently installed.)
Preparing to unpack .../libhogweed4_3.4.1-1+deb10u1_arm64.deb ...
Unpacking libhogweed4:arm64 (3.4.1-1+deb10u1) over (3.4.1-1) ...
Setting up libhogweed4:arm64 (3.4.1-1+deb10u1) ...
(Reading database ... 26475 files and directories currently installed.)
Preparing to unpack .../libgnutls30_3.6.7-4+deb10u7_arm64.deb ...
Unpacking libgnutls30:arm64 (3.6.7-4+deb10u7) over (3.6.7-4+deb10u6) ...
Setting up libgnutls30:arm64 (3.6.7-4+deb10u7) ...
(Reading database ... 26475 files and directories currently installed.)
Preparing to unpack .../00-isc-dhcp-client_4.4.1-2+deb10u1_arm64.deb ...
Unpacking isc-dhcp-client (4.4.1-2+deb10u1) over (4.4.1-2) ...
Preparing to unpack .../01-isc-dhcp-common_4.4.1-2+deb10u1_arm64.deb ...
Unpacking isc-dhcp-common (4.4.1-2+deb10u1) over (4.4.1-2) ...
Preparing to unpack .../02-libgssapi-krb5-2_1.17-3+deb10u2_arm64.deb ...
Unpacking libgssapi-krb5-2:arm64 (1.17-3+deb10u2) over (1.17-3+deb10u1) ...
Preparing to unpack .../03-libkrb5-3_1.17-3+deb10u2_arm64.deb ...
Unpacking libkrb5-3:arm64 (1.17-3+deb10u2) over (1.17-3+deb10u1) ...
Preparing to unpack .../04-libkrb5support0_1.17-3+deb10u2_arm64.deb ...
Unpacking libkrb5support0:arm64 (1.17-3+deb10u2) over (1.17-3+deb10u1) ...
Preparing to unpack .../05-libk5crypto3_1.17-3+deb10u2_arm64.deb ...
Unpacking libk5crypto3:arm64 (1.17-3+deb10u2) over (1.17-3+deb10u1) ...
Preparing to unpack .../06-klibc-utils_2.0.6-1+deb10u1_arm64.deb ...
Unpacking klibc-utils (2.0.6-1+deb10u1) over (2.0.6-1) ...
Preparing to unpack .../07-libklibc_2.0.6-1+deb10u1_arm64.deb ...
Unpacking libklibc:arm64 (2.0.6-1+deb10u1) over (2.0.6-1) ...
Selecting previously unselected package linux-image-5.10.0-0.bpo.7-arm64.
Preparing to unpack .../08-linux-image-5.10.0-0.bpo.7-arm64_5.10.40-1~bpo10+1_arm64.deb ...
Unpacking linux-image-5.10.0-0.bpo.7-arm64 (5.10.40-1~bpo10+1) ...
Preparing to unpack .../09-linux-image-arm64_5.10.40-1~bpo10+1_arm64.deb ...
Unpacking linux-image-arm64 (5.10.40-1~bpo10+1) over (5.10.24-1~bpo10+1) ...
Preparing to unpack .../10-shim-unsigned_15.4-5~deb10u1_arm64.deb ...
Unpacking shim-unsigned (15.4-5~deb10u1) over (15+1533136590.3beb971-7+deb10u1) ...
Preparing to unpack .../11-shim-helpers-arm64-signed_1+15.4+5~deb10u1_arm64.deb ...
Unpacking shim-helpers-arm64-signed (1+15.4+5~deb10u1) over (1+15+1533136590.3beb971+7+deb10u1) ...
Preparing to unpack .../12-shim-signed_1.36~1+deb10u1+15.4-5~deb10u1_arm64.deb ...
Unpacking shim-signed:arm64 (1.36~1+deb10u1+15.4-5~deb10u1) over (1.33+15+1533136590.3beb971-7) ...
Preparing to unpack .../13-shim-signed-common_1.36~1+deb10u1+15.4-5~deb10u1_all.deb ...
Unpacking shim-signed-common (1.36~1+deb10u1+15.4-5~deb10u1) over (1.33+15+1533136590.3beb971-7) ...
Setting up linux-image-5.10.0-0.bpo.7-arm64 (5.10.40-1~bpo10+1) ...
I: /boot/vmlinuz.old is now a symlink to vmlinuz-5.10.0-0.bpo.5-arm64
I: /boot/initrd.img.old is now a symlink to initrd.img-5.10.0-0.bpo.5-arm64
I: /boot/vmlinuz is now a symlink to vmlinuz-5.10.0-0.bpo.7-arm64
I: /boot/initrd.img is now a symlink to initrd.img-5.10.0-0.bpo.7-arm64
/etc/kernel/postinst.d/initramfs-tools:
update-initramfs: Generating /boot/initrd.img-5.10.0-0.bpo.7-arm64
/etc/kernel/postinst.d/zz-update-grub:
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-5.10.0-0.bpo.7-arm64
Found initrd image: /boot/initrd.img-5.10.0-0.bpo.7-arm64
Found linux image: /boot/vmlinuz-5.10.0-0.bpo.5-arm64
Found initrd image: /boot/initrd.img-5.10.0-0.bpo.5-arm64
Found linux image: /boot/vmlinuz-4.19.0-16-arm64
Found initrd image: /boot/initrd.img-4.19.0-16-arm64
done
Setting up linux-image-arm64 (5.10.40-1~bpo10+1) ...
Setting up isc-dhcp-client (4.4.1-2+deb10u1) ...
Setting up libkrb5support0:arm64 (1.17-3+deb10u2) ...
Setting up libklibc:arm64 (2.0.6-1+deb10u1) ...
Setting up shim-signed-common (1.36~1+deb10u1+15.4-5~deb10u1) ...
No DKMS packages installed: not changing Secure Boot validation state.
Setting up udev (241-7~deb10u8) ...
[ ok ] Stopping hotplug events dispatcher: systemd-udevd.
[ ok ] Starting hotplug events dispatcher: systemd-udevd.
update-initramfs: deferring update (trigger activated)
Setting up libk5crypto3:arm64 (1.17-3+deb10u2) ...
Setting up isc-dhcp-common (4.4.1-2+deb10u1) ...
Setting up libkrb5-3:arm64 (1.17-3+deb10u2) ...
Setting up klibc-utils (2.0.6-1+deb10u1) ...
Setting up shim-unsigned (15.4-5~deb10u1) ...
Setting up shim-helpers-arm64-signed (1+15.4+5~deb10u1) ...
Installing for arm64-efi platform.
grub-install: warning: EFI variables are not supported on this system..
Installation finished. No error reported.
Setting up shim-signed:arm64 (1.36~1+deb10u1+15.4-5~deb10u1) ...
Installing for arm64-efi platform.
grub-install: warning: EFI variables are not supported on this system..
Installation finished. No error reported.
No DKMS packages installed: not changing Secure Boot validation state.
Setting up libgssapi-krb5-2:arm64 (1.17-3+deb10u2) ...
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for libc-bin (2.28-10) ...
Processing triggers for initramfs-tools (0.133+deb10u1) ...
update-initramfs: Generating /boot/initrd.img-5.10.0-0.bpo.7-arm64
                                         
Current status: 0 (-21) upgradable.

Message #25 received at 991478@bugs.debian.org (full text, mbox, reply):

From: Steve McIntyre <steve@einval.com>

To: Roman Mamedov <rm@romanrm.net>

Cc: 991478@bugs.debian.org

Subject: Re: Bug#991478: [shim-signed] RFE: do not brick users' systems in the stable distribution

Date: Sun, 25 Jul 2021 16:52:27 +0100

On Sun, Jul 25, 2021 at 08:19:55PM +0500, Roman Mamedov wrote:
>On Sun, 25 Jul 2021 12:43:48 +0100
>Steve McIntyre <steve@einval.com> wrote:
>
>> Which provider is using secure boot on arm64 at this point? I've not
>> heard of any. Can you share details of package versions etc. for that
>> please?
>
>It is the Oracle Cloud.
>
>Actually I am not certain they use secure boot, or that the lack of signature
>is the issue. According to serial console, the issue was a fatal crash in the
>UEFI boot loader (TianoCore). So I assumed it could be because it did not find
>the signature it was expecting to validate.

OK. I think I know what the problem is here. See below...

>Unfortunately I did not save the crash messages and cannot reproduce it for
>now, as I am not longer able to start my instances due to "Out of host
>capacity" at the provider.
>
>As for the package versions, I was using the vanilla Debian Buster.

OK, thanks for that information.

In your next mail, I can see your log shows shim-signed version
1.36~1+deb10u1+15.4-5~deb10u1. Despite testing that version on various
arm64 platforms before release, *after* the 10.10 point release we
found that version can also crash and fail to boot in some
circumstances. I think that's your problem here. :-(

When we found that problem, as an immediate workaround I released a
newer shim-signed package into the buster-updates repo which solves
it: version 1.36~1+deb10u2+15.4-5~deb10u1 (note the
deb10u1->deb10u2). I can see that your system is showing
buster-updates in its list of package sources, so I'm very confused as
to what's happened there and why your system did not pick up the later
version. Argh!

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
“Why do people find DNS so difficult? It’s just cache invalidation and
 naming things.”
   -– Jeff Waugh (https://twitter.com/jdub)

Message #32 received at 991478@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>

To: 991478@bugs.debian.org, Roman Mamedov <rm@romanrm.net>

Subject: Re: Bug#991478: [shim-signed] RFE: do not brick users' systems in the stable distribution

Date: Tue, 10 Aug 2021 20:20:23 +0200

[Message part 1 (text/plain, inline)]

Hi,

On Sun, 25 Jul 2021 16:52:27 +0100 Steve McIntyre <steve@einval.com> wrote:
> When we found that problem, as an immediate workaround I released a
> newer shim-signed package into the buster-updates repo which solves
> it: version 1.36~1+deb10u2+15.4-5~deb10u1 (note the
> deb10u1->deb10u2). I can see that your system is showing
> buster-updates in its list of package sources, so I'm very confused as
> to what's happened there and why your system did not pick up the later
> version. Argh!

I learned yesterday that people that use APT pinning or
APT::Default-Release may be missing out -updates if they pin to buster
only. See the latest entry to the release notes [1, last paragraph] to
cover the issue for bullseye-security. I'm obviously not sure if that
happened here, but if the issue is the same on ci.d.n infrastructure, it
would explain the failure there (the logs from yesterday there mention
"Setting up shim-signed:arm64 (1.36~1+deb10u1+15.4-5~deb10u1)".

Paul

[1]
https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#security-archive

[OpenPGP_signature (application/pgp-signature, attachment)]

Message #37 received at 991478@bugs.debian.org (full text, mbox, reply):

From: Roman Mamedov <rm@romanrm.net>

To: Paul Gevers <elbrus@debian.org>

Cc: 991478@bugs.debian.org

Subject: Re: Bug#991478: [shim-signed] RFE: do not brick users' systems in the stable distribution

Date: Wed, 11 Aug 2021 22:38:42 +0500

On Tue, 10 Aug 2021 20:20:23 +0200
Paul Gevers <elbrus@debian.org> wrote:

> I learned yesterday that people that use APT pinning or
> APT::Default-Release may be missing out -updates if they pin to buster
> only. See the latest entry to the release notes [1, last paragraph] to
> cover the issue for bullseye-security. I'm obviously not sure if that
> happened here, but if the issue is the same on ci.d.n infrastructure, it
> would explain the failure there (the logs from yesterday there mention
> "Setting up shim-signed:arm64 (1.36~1+deb10u1+15.4-5~deb10u1)".

I have regained access to some cloud instances with that setup today.

Created them from an older backup, and I see that I do have in my apt.conf:

  APT::Default-Release "buster";
  APT::Install-Recommends "false";

And:

# apt-cache policy shim-signed
shim-signed:
  Installed: 1.33+15+1533136590.3beb971-7
  Candidate: 1.36~1+deb10u1+15.4-5~deb10u1
  Version table:
     1.36~1+deb10u2+15.4-5~deb10u1 500
        500 https://deb.debian.org/debian buster-updates/main arm64 Packages
     1.36~1+deb10u1+15.4-5~deb10u1 990
        990 https://deb.debian.org/debian buster/main arm64 Packages
 *** 1.33+15+1533136590.3beb971-7 100
        100 /var/lib/dpkg/status

Indeed the "Candidate" to be installed is what is supposedly the broken
version.

After changing the config line to

  APT::Default-Release "/^buster(|-security|-updates)$/";

the updated version is selected correctly.

It does not feel great to now have a version selection with such dire
consequences to rely on "the undocumented feature of APT".

(So I just chose to "aptitude hold" the old one for now instead).

> [1]
> https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#security-archive

It appears they meant "-updates" there, instead of typoed "-upgrades" in their
suggested config line, unless I'm missing something.

-- 
With respect,
Roman

Message #42 received at 991478@bugs.debian.org (full text, mbox, reply):

From: Paul Gevers <elbrus@debian.org>

To: Roman Mamedov <rm@romanrm.net>

Cc: 991478@bugs.debian.org

Subject: Re: Bug#991478: [shim-signed] RFE: do not brick users' systems in the stable distribution

Date: Wed, 11 Aug 2021 21:45:09 +0200

[Message part 1 (text/plain, inline)]

Hi Roman,

On 11-08-2021 19:38, Roman Mamedov wrote:
> It does not feel great to now have a version selection with such dire
> consequences to rely on "the undocumented feature of APT".

The suggestion was from one of the maintainers of APT, so I think we can
trust the feature to be properly supported. To be more correct, similar
support is documented in apt_preferences, just not in the context of
Default-Release.

> It appears they meant "-updates" there, instead of typoed "-upgrades" in their
> suggested config line, unless I'm missing something.

Thanks for this. It was indeed a very stupid mistake. I fixed it.

Paul

[OpenPGP_signature (application/pgp-signature, attachment)]

Message #49 received at 991478@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Roman Mamedov <rm@romanrm.net>

Cc: Steve McIntyre <steve@einval.com>, 991478@bugs.debian.org

Subject: Re: Bug#991478: shim-signed in buster fails to boot on Oracle Cloud arm64 with fatal crash in TianoCore

Date: Thu, 21 Jul 2022 09:31:02 +0100

Control: retitle -1 shim-signed in buster fails to boot on Oracle Cloud arm64 with fatal crash in TianoCore
Control: found -1 1.36~1+deb10u1
Control: found -1 1.36~1+deb10u1+15.4-5~deb10u1
Control: notfound -1 1.33
Control: notfound -1 1.33+15+1533136590.3beb971-7
Control: tags -1 + moreinfo

On Sun, 25 Jul 2021 at 16:52:27 +0100, Steve McIntyre wrote:
> In your next mail, I can see your log shows shim-signed version
> 1.36~1+deb10u1+15.4-5~deb10u1. Despite testing that version on various
> arm64 platforms before release, *after* the 10.10 point release we
> found that version can also crash and fail to boot in some
> circumstances. I think that's your problem here. :-(
> 
> When we found that problem, as an immediate workaround I released a
> newer shim-signed package into the buster-updates repo which solves
> it: version 1.36~1+deb10u2+15.4-5~deb10u1 (note the
> deb10u1->deb10u2).

I noticed that this is still showing up on the list of release-critical
bugs, despite subsequent updates; and the bug tracking system thinks it
applies to Debian 11 'bullseye' and to testing/unstable, although the
report seems to be specific to Debian 10 'buster'.

If the crash Steve mentioned is the same one described in #990082
and #990190, then it should be fixed in version 1.37 and up, which
were included in later point releases of buster (currently version
1.38~1+deb10u1) and also included in the bullseye stable release
(currently version 1.38). Please could you confirm whether these newer
versions can boot on Oracle Cloud machines?

Thanks,
    smcv

Message #62 received at 991478-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 991478-close@bugs.debian.org

Subject: Bug#991478: fixed in shim-signed 1.39

Date: Thu, 09 Mar 2023 01:19:17 +0000

Source: shim-signed
Source-Version: 1.39
Done: Steve McIntyre <93sam@debian.org>

We believe that the bug you reported is fixed in the latest version of
shim-signed, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 991478@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve McIntyre <93sam@debian.org> (supplier of updated shim-signed package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 09 Mar 2023 00:58:53 +0000
Source: shim-signed
Architecture: source
Version: 1.39
Distribution: unstable
Urgency: medium
Maintainer: Debian EFI Team <debian-efi@lists.debian.org>
Changed-By: Steve McIntyre <93sam@debian.org>
Closes: 991478 992073 995940 1008942 1016280 1026415
Changes:
 shim-signed (1.39) unstable; urgency=medium
 .
   * Build against new signed binaries corresponding to 15.7-1
     + This syncs up build-deps again. Closes: #1016280
     + We now have arm64 signed shims again \o/
       Undo the hacky unsigned arm64 build
       Closes: #1008942, #992073, #991478
     Pulls multiple other bugfixes in for the signed version:
     + Make sbat_var.S parse right with buggy gcc/binutils
     + Enable NX support at build time, as required by policy for signing
       new shim binaries.
     + Fixes argument handling bug with some firmware implementations.
       Closes: #995940
   * Update build-dep on shim-unsigned to use 15.7-1
   * Block Debian grub binaries with sbat < 4 (see #1024617)
     + Update Depends on grub2-common to match.
   * postinst/postrm: make config_item() more robust
   * Add pt_BR translation, thanks to Paulo Henrique de Lima
     Santana. Closes: #1026415
   * Tweak dependencies
Checksums-Sha1:
 085f9aac0b4793b4427c28f400ad754d2428dbb2 1808 shim-signed_1.39.dsc
 55f4e78d1a3445dd8a8cbd6f469a099834cdd263 812660 shim-signed_1.39.tar.xz
 f2debc4b26a859222cfc4d901026e00b77a1bfb4 6087 shim-signed_1.39_source.buildinfo
Checksums-Sha256:
 737689a5b0f6479927c7e3edc06b065d06bb3a8526a8b9e03c094958af481b65 1808 shim-signed_1.39.dsc
 76a2b37953f7b91c69431ab8e9725643fd28b857573b1fff8264fb87e20b08bd 812660 shim-signed_1.39.tar.xz
 c312757d6c85f2d63007b9941550077eac38eab94a444b5989fd415dfe022936 6087 shim-signed_1.39_source.buildinfo
Files:
 41d437266aac919570597c981376deee 1808 utils optional shim-signed_1.39.dsc
 b0e69c929eb30472f402acb816c641f3 812660 utils optional shim-signed_1.39.tar.xz
 7bbb60b12068ac624c3470d689456f27 6087 utils optional shim-signed_1.39_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCAAvFiEEzrtSMB1hfpEDkP4WWHl5VzRCaE4FAmQJMGcRHDkzc2FtQGRl
Ymlhbi5vcmcACgkQWHl5VzRCaE5vJw/+JFK90D0vSEdXoTsq+ZzIav1FEb389neP
vuAYljPkorAraBppccN0dU1f6S4WuaCPW2wGHC5WFiwKudKXIT+Pb03vXxRAvRlQ
JVu49gJlbqbR69SKPFDgRGKI04i3W6X8TnJ/oP4nSdPAzarhoiYU0pRqlc9QJOXH
mtcPB+9OC95A3Zbk+mmia1CzKZWXnBKPTPeeB4c0we3lOi63LvNRnzoouPCMq3Fa
XU1i8opUrJ9PnHeE5tbaSzVSy9kQrvVbN+HX8GjdNzV9QVl1jYW1JVNDPp6WcsYE
svZ6kuW7Pl7kWLPp4uT5yhpq2uka0PNzBm9OP4gtvEiqADBklBnG2rEhnDEx/ULX
ZonH8Kp/z1oBYofNazxUO/qsVDP3geE5gFH4+j7AIIVrpOa1jAjp8yiHEVdKLgy6
qS4pYEgFFHVRswtWM8WP6LZq+UtvsZLLaIE4B0D1Q8EWFvRIHbhOjQhtyrswjtAF
++KOwrgTwkEQ5vNsxXgWFlfpAsbtJQguZCbbUMbyO5MU8EjbvC8nMoTg6EioSgmc
AnwnA25iNHSSW0/AeWHB5Xc908ZIQZQWtBEo0+OS4SpLV0q3yxpv07rktphtDYu9
dTuIY6RmZ6gmPGggvTnnI+Tv+jqoDLxQkqc67JUVwIkDKdYFuUmkGplMAB4fNTyW
90t5XIja4iI=
=BEuN
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.