Package: shim-signed Version: 1.38+15.4-7 Severity: important Dear Maintainer,
First of all, I am not exactly sure `shim-signed` is the correct package to report this bug for, but it still seems the most appopriate. Please do correct it if I am actually wrong. I currently have this weird problem where my computer initiates the boot process correctly, but right after the BIOS starts loading my Debian installation, shim prints quite the amount of messages, then GRUB is called as per usual and the rest carries on normally, except that no unsigned and registered kernel modules may be loaded: SecureBoot forbids it. The details of these messages are available as pictures [here](https://imgur.com/a/9cBQL6M) -- I couldn't copy-paste by definition, sorry if it is hard to read. From what I can see among these logs, I can't really spot any error messages, except for `LibDeleteVariable("MokSBStateRT", ...) => Not Found` (images 5 and 6). I am running Debian using a Dell XPS 9560, with UEFI and SecureBoot activated in the BIOS setup. -- System Information: Debian Release: bookworm/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.14.0-4-amd64 (SMP w/8 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages shim-signed depends on: ii grub-efi-amd64-bin 2.04-20 ii grub2-common 2.04-20 ii shim-helpers-amd64-signed 1+15.4+7 ii shim-signed-common 1.38+15.4-7 Versions of packages shim-signed recommends: pn secureboot-db <none> shim-signed suggests no packages. -- no debconf information The problem started to occur a few months ago already, when I was still under Buster but couldn't find much time to investigate this, so I am not sure exactly when it arose. I remember however seeing an update of shim in the APT logs around that time, which is consistent with the release of 1.34 I think I indeed saw in said logs. Before that, things worked well: I was able to generate certificates, register them with `mokutil` and sign the modules with them. The modules ran fine and no messages were printed at startup before GRUB. But when the bug appeared, suddenly both `mokutil` and `efibootmgr` reported `MokList` and `MokListRT` as empty while the messages at boot printed some very long dumps of certificates as if present in the `MokListRT`: it seems as if the problem deleted some variables which removed the certificates and thus the modules couldn't be loaded. Trying to register the certificates again resulted in the same: after rebooting and completing the registration process, all lists appeared emtpy again. One of the first things I remember trying was to rollback to an old version prior to 1.34, but as debs didn't exist anymore and I couldn't find them anywhere, it was not possible to try this easily, except for downloading the 1.33 version of the signed files directly from Salsa and replacing them in the file system. That did not work, but I will have to try again as things have changed since then. I tried fiddling around with versions as such for some time, including going forward to 1.38, but nothing worked. The recent upgrades to Bullseye and Bookworm didn't change anything either. I then tried to re-install some packages linked to this or `dpkg-reconfigure` them, in vain. I also tried to disable SecureBoot in the BIOS setup in order to avoid the problem, but that didn't work either as something during startup seemed to expect it to be activated -- the blue screen MOK dialogs: is there something to do on the Debian side of things as well? A small step I was able to achieve recently was to discover the generated inconsistency between what EFI tools reported and what the boot messages showed. I searched and found the pseudo-files in `/sys/firmware/efi/mok-variables/` reflecting some system variables such as `MokListRT`. That one was most definitely not empty and contained the certificates I was seeing dumped during startup. I then ran `mokutil --reset`, rebooted and completed the process in order to force a fresh configuration which helped reduce the length of the logs. The images show the state after that operation. I couldn't do much more than this, however. I will now include the output of some of the EFI tools, starting with: * `mokutil --sb-state`: `SecureBoot enabled` * `mokutil --list-new`: `MokNew is empty` * `mokutil --list-enrolled`: `MokListRT is empty` * `mokutil --list-delete`: `MokDel is empty` Then `efivar -l`: ``` 0a602c5b-05a0-40c4-9181-edcd891d0036-SMBIOS_ENTRY_ADDR 8be4df61-93ca-11d2-aa0d-00e098032b8c-BootCurrent 66b36b33-8094-424d-ba45-e876d62c45c1-ePSAVersion 8be4df61-93ca-11d2-aa0d-00e098032b8c-ErrOutDev 8be4df61-93ca-11d2-aa0d-00e098032b8c-BootOptionSupport 8be4df61-93ca-11d2-aa0d-00e098032b8c-PlatformLangCodes 65cbd9d9-ab77-4a61-b288-2763405d588a-BootList b08f97ff-e6e8-4193-a997-5e9e9b0adb32-CpuSetupVolatileData 8be4df61-93ca-11d2-aa0d-00e098032b8c-ConInDev 972e2031-6ebf-4535-abd6-3654ea409510-Logo_resolutionY 972e2031-6ebf-4535-abd6-3654ea409510-Logo_resolutionX 8be4df61-93ca-11d2-aa0d-00e098032b8c-ConOutDev 8be4df61-93ca-11d2-aa0d-00e098032b8c-dbxDefault 8be4df61-93ca-11d2-aa0d-00e098032b8c-dbDefault 8be4df61-93ca-11d2-aa0d-00e098032b8c-KEKDefault 8be4df61-93ca-11d2-aa0d-00e098032b8c-PKDefault 8be4df61-93ca-11d2-aa0d-00e098032b8c-OsIndicationsSupported 9cb2e73f-7325-40f4-a484-659bb344c3cd-SOFTWAREGUARDSTATUS 972e2031-6ebf-4535-abd6-3654ea409510-AmtWrapperKvmSolFlag 01368881-c4ad-4b1d-b631-d57a8ec8db6b-FPDT_Volatile 0a602c5b-05a0-40c4-9181-edcd891d0003-GNVS_PTR 8be4df61-93ca-11d2-aa0d-00e098032b8c-VendorKeys 8be4df61-93ca-11d2-aa0d-00e098032b8c-SecureBoot 8be4df61-93ca-11d2-aa0d-00e098032b8c-SetupMode 8be4df61-93ca-11d2-aa0d-00e098032b8c-SignatureSupport e224eaa0-4358-6ac8-3cce-daa44e54f638-DellVar01 90d93e09-4e91-4b3d-8c77-c82ff10e3c81-CpuSmm 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P0 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P4 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P3 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P2 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P1 c54906f9-eb09-4457-a007-4154652fcfa5-LastKnownGoodConfig 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P2F 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P2E 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P2D 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P2C 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P2B 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P2A 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P29 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P28 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P27 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P26 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P25 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P24 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P23 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P22 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P21 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P20 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P1F 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P1E 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P1D 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P1C 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P1B 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P1A 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P19 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P18 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P17 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P16 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P15 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P14 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P13 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P12 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P11 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P10 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1PF 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1PE 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1PD 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1PC 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1PB 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1PA 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P9 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P8 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P7 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P6 01bd3876-1ad6-4e59-b39a-7a0b1bde20ac-V1P5 ba57e015-65b3-4c3c-b274-659192f699e3-BugCheckCode 605dab50-e046-4300-abb6-3dd810dd8b23-SHIM_VERBOSE ba57e015-65b3-4c3c-b274-659192f699e3-BugCheckParameter1 ba57e015-65b3-4c3c-b274-659192f699e3-BugCheckProgress 8be4df61-93ca-11d2-aa0d-00e098032b8c-BootOrder 8be4df61-93ca-11d2-aa0d-00e098032b8c-Boot0001 a9b5f8d2-cb6d-42c2-bc01-b5ffaae4335e-PBRDevicePath 01368881-c4ad-4b1d-b631-d57a8ec8db6b-DellMonotonicCounter 77fa9abd-0359-4d32-bd60-28f4e78f784b-Kernel_DriverSiStatus 77fa9abd-0359-4d32-bd60-28f4e78f784b-Kernel_ATPSiStatus 77fa9abd-0359-4d32-bd60-28f4e78f784b-Kernel_WinSiStatus 77fa9abd-0359-4d32-bd60-28f4e78f784b-Kernel_SkuSiStatus 77fa9abd-0359-4d32-bd60-28f4e78f784b-Kernel_RvkSiStatus 77fa9abd-0359-4d32-bd60-28f4e78f784b-Kernel_SiStatus 8be4df61-93ca-11d2-aa0d-00e098032b8c-PlatformLang 8be4df61-93ca-11d2-aa0d-00e098032b8c-Boot0000 8be4df61-93ca-11d2-aa0d-00e098032b8c-OsIndications c54906f9-eb09-4457-a007-4154652fcfa5-UserDefaults 7f3301c7-2405-4765-aa2e-d9ed28aea950-GsetUefiIplDefaultValue 3a21751e-bd32-4825-8754-82a47f01b09b-GsetLegacyIplDefaultValue 1358e20b-0e48-4f06-8ddd-8809b8a74d6c-DDIAG_BHISTORY eaec226f-c9a3-477a-a826-ddc716cdc0e3-UnlockIDCopy 77fa9abd-0359-4d32-bd60-28f4e78f784b-CurrentPolicy 8be4df61-93ca-11d2-aa0d-00e098032b8c-Timeout c54906f9-eb09-4457-a007-4154652fcfa5-FactoryDefaults eaec226f-c9a3-477a-a826-ddc716cdc0e3-OfflineUniqueIDEKPubCRC eaec226f-c9a3-477a-a826-ddc716cdc0e3-OfflineUniqueIDEKPub 8ebe3d07-3420-4bfa-8c13-3a4e0fae6860-DIAGEEPROM_VAR a66919d2-6c45-403e-b00a-9bce58e97315-OsType 73dad563-8f27-42af-918f-8651eb0a93ef-Ep 01368881-c4ad-4b1d-b631-d57a8ec8db6b-SataPortNumber 4b3082a3-80c6-4d7e-9cd0-583917265df1-MaximumTableSize 4b3082a3-80c6-4d7e-9cd0-583917265df1-SmbiosScratchBuffer 4b3082a3-80c6-4d7e-9cd0-583917265df1-SmbiosV3EntryPointTable 4b3082a3-80c6-4d7e-9cd0-583917265df1-SmbiosEntryPointTable 5990c250-676b-4ff7-8a0d-529319d0b254-BootFFF6 5990c250-676b-4ff7-8a0d-529319d0b254-BootFFF7 5990c250-676b-4ff7-8a0d-529319d0b254-BootFFF8 5990c250-676b-4ff7-8a0d-529319d0b254-BootFFFB 5990c250-676b-4ff7-8a0d-529319d0b254-BootFFFC 5990c250-676b-4ff7-8a0d-529319d0b254-BootFFFD 5990c250-676b-4ff7-8a0d-529319d0b254-BootFFFE 45cf35f6-0d6e-4d04-856a-0370a5b16f53-DefaultBootOrder 8be4df61-93ca-11d2-aa0d-00e098032b8c-ErrOut 8be4df61-93ca-11d2-aa0d-00e098032b8c-ConIn 8be4df61-93ca-11d2-aa0d-00e098032b8c-ConOut 01368881-c4ad-4b1d-b631-d57a8ec8db6b-AssetTag 01368881-c4ad-4b1d-b631-d57a8ec8db6b-ServiceTag 5432122d-d034-49d2-a6de-65a829eb4c74-MeSetupStorage 2d2edd10-1661-47e3-bdff-581f2a63ec0d-LastModeState 8be4df61-93ca-11d2-aa0d-00e098032b8c-PK 8be4df61-93ca-11d2-aa0d-00e098032b8c-KEK d719b2cb-3d3a-4596-a3bc-dad00e67656f-db d719b2cb-3d3a-4596-a3bc-dad00e67656f-dbx 368b3152-563d-4670-8d94-47a9fa8c4c16-BiosGuardRecoveryAddressVariable 4da4f952-2516-4d06-8975-65036403a8c7-RstOptaneConfig c60aa7f6-e8d6-4956-8ba1-fe26298f5e87-EPCBIOS ba1d893b-803e-4b26-a3de-585703ff7bd6-TbtHRStatusVar eda41d22-7729-5b91-b3ee-ba619921cefa-IntUcode 074e1e48-8132-47a1-8c2c-3f14ad9a66dc-AmiEntryS3Addr 01368881-c4ad-4b1d-b631-d57a8ec8db6b-SimpleBootFlag 01368881-c4ad-4b1d-b631-d57a8ec8db6b-SimpleBootFlagBackUp 368b3153-563d-4610-8d94-47a9fa8c4c16-BiosGuardCapsuleVariable 01368881-c4ad-4b1d-b631-d57a8ec8db6b-MonotonicCounter e20939be-32d4-41be-a150-897f85d49829-MemoryOverwriteRequestControl bb983ccf-151d-40e1-a07b-4a17be168292-MemoryOverwriteRequestControlLock ``` And finally `efibootmgr -v`: ``` BootCurrent: 0001 Timeout: 0 seconds BootOrder: 0001,0000 Boot0000* Windows Boot Manager HD(1,GPT,b273f898-e79c-4421-b386-e44cc7f10dd9,0x800,0xfa000)/File(\EFI\Microsoft\Boot\bootmgfw.efi)WINDOWS.........x...B.C.D.O.B.J.E.C.T.=.{.9.d.e.a.8.6.2.c.-.5.c.d.d.-.4.e.7.0.-.a.c.c.1.-.f.3.2.b.3.4.4.d.4.7.9.5.}.................... Boot0001* debian HD(1,GPT,b273f898-e79c-4421-b386-e44cc7f10dd9,0x800,0xfa000)/File(\EFI\debian\shimx64.efi) ``` If it can help, I am using [a tool of mine](https://github.com/PaulDance/sb-utils) in order to automate the process of module signing: please tell me if I did something wrong somewhere that would have broken my system without my knowing. I think I have included all the useful information now, at least from what I can think of at the moment. I would really like to fix this ongoing problem as I have been carrying it for quite a while now, so please do tell me what to do or tell in order to reach some tangible progress. I will try to be as responsive as I can. Also, my memory is a bit fuzzy about some of the things I tried a few months ago, so don't hesitate to challenge some of my statements ;) Thanks in advance, Paul Mabileau.
