Package: shim-signed
Version: 1.44~1+deb12u1+15.8-1~deb12u1
Severity: normal
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
Since about 2 years i run my amd64 debian/bookworm with secureboot enabled.
Some time ago my PC could not boot anymore as the secureboot let not start
shimx64.efi anymore from by debian entry in UEFI.
* What exactly did you do (or not do) that was effective (or
ineffective)?
I disabled secureboot in my UEFI and it booted again. For about three month i
didnt care too much. Now i read about the bootkit.efi and i wanted to reenable
it.
Checked the sha1sums from the installed efi binaries in /boot/EFI/EFI/debian
sha1sum /boot/EFI/EFI/debian/shimx64.efi
3dd4abb9f7af061c1a7916f9c31f9e5d0be5558a /boot/EFI/EFI/debian/shimx64.efi
This were the sha1sums from the installed shim-signed
sha1sum /usr/lib/shim/shimx64.efi*
b3ad049321cfbafe24ad16ba26cd38693ac4a34c /usr/lib/shim/shimx64.efi
52f4735800ff01fb526a23e309a3bf3bf0d9b7b4 /usr/lib/shim/shimx64.efi.signed
At this stage i run grub-install (as root) and /boot/EFI/EFI/debian/shimx64.efi
had the same sha1sum as /usr/lib/shim/shimx64.efi.signed
* What was the outcome of this action?
Booted again.
Now my question is: Is it intended that the efi binaries in
/boot/EFI/EFI/debian/ are not updated? Is this a bug or a feature? If there is
an update from shim-signed do i need to run grub-install manually or should it
update by the upgrade process?
-- System Information:
Debian Release: 12.8
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'stable-debug'), (500, 'proposed-updates-debug'), (500, 'proposed-updates'),
(500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.1.0-28-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages shim-signed depends on:
ii grub-efi-amd64-bin 2.06-13+deb12u1
ii grub2-common 2.06-13+deb12u1
ii shim-helpers-amd64-signed 1+15.8+1~deb12u1
ii shim-signed-common 1.44~1+deb12u1+15.8-1~deb12u1
shim-signed recommends no packages.
shim-signed suggests no packages.
-- debconf information:
shim/enable_secureboot: false
shim/title/secureboot:
shim/error/bad_secureboot_key:
shim/error/secureboot_key_mismatch:
* shim/secureboot_explanation:
* shim/disable_secureboot: false
