Package: shim-signed
Version: 1.44~1+deb12u1+15.8-1~deb12u1
Severity: normal

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?
Since about 2 years i run my amd64 debian/bookworm with secureboot enabled.
Some time ago my PC could not boot anymore as the secureboot let not start
shimx64.efi anymore from by debian entry in UEFI.

   * What exactly did you do (or not do) that was effective (or
     ineffective)?
I disabled secureboot in my UEFI and it booted again. For about three month i
didnt care too much. Now i read about the bootkit.efi and i wanted to reenable
it.
Checked the sha1sums from the installed efi binaries in /boot/EFI/EFI/debian

sha1sum /boot/EFI/EFI/debian/shimx64.efi
3dd4abb9f7af061c1a7916f9c31f9e5d0be5558a  /boot/EFI/EFI/debian/shimx64.efi

This were the sha1sums from the installed shim-signed
sha1sum /usr/lib/shim/shimx64.efi*
b3ad049321cfbafe24ad16ba26cd38693ac4a34c  /usr/lib/shim/shimx64.efi
52f4735800ff01fb526a23e309a3bf3bf0d9b7b4  /usr/lib/shim/shimx64.efi.signed

At this stage i run grub-install (as root) and /boot/EFI/EFI/debian/shimx64.efi
had the same sha1sum as /usr/lib/shim/shimx64.efi.signed

   * What was the outcome of this action?
Booted again.

Now my question is: Is it intended that the efi binaries in
/boot/EFI/EFI/debian/ are not updated? Is this a bug or a feature? If there is
an update from shim-signed do i need to run grub-install manually or should it
update by the upgrade process?


-- System Information:
Debian Release: 12.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 
'stable-debug'), (500, 'proposed-updates-debug'), (500, 'proposed-updates'), 
(500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-28-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages shim-signed depends on:
ii  grub-efi-amd64-bin         2.06-13+deb12u1
ii  grub2-common               2.06-13+deb12u1
ii  shim-helpers-amd64-signed  1+15.8+1~deb12u1
ii  shim-signed-common         1.44~1+deb12u1+15.8-1~deb12u1

shim-signed recommends no packages.

shim-signed suggests no packages.

-- debconf information:
  shim/enable_secureboot: false
  shim/title/secureboot:
  shim/error/bad_secureboot_key:
  shim/error/secureboot_key_mismatch:
* shim/secureboot_explanation:
* shim/disable_secureboot: false

Reply via email to