Package: shim-signed Version: 1.44~1+deb12u1+15.8-1~deb12u1 Severity: normal
Dear Maintainer, *** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? Since about 2 years i run my amd64 debian/bookworm with secureboot enabled. Some time ago my PC could not boot anymore as the secureboot let not start shimx64.efi anymore from by debian entry in UEFI. * What exactly did you do (or not do) that was effective (or ineffective)? I disabled secureboot in my UEFI and it booted again. For about three month i didnt care too much. Now i read about the bootkit.efi and i wanted to reenable it. Checked the sha1sums from the installed efi binaries in /boot/EFI/EFI/debian sha1sum /boot/EFI/EFI/debian/shimx64.efi 3dd4abb9f7af061c1a7916f9c31f9e5d0be5558a /boot/EFI/EFI/debian/shimx64.efi This were the sha1sums from the installed shim-signed sha1sum /usr/lib/shim/shimx64.efi* b3ad049321cfbafe24ad16ba26cd38693ac4a34c /usr/lib/shim/shimx64.efi 52f4735800ff01fb526a23e309a3bf3bf0d9b7b4 /usr/lib/shim/shimx64.efi.signed At this stage i run grub-install (as root) and /boot/EFI/EFI/debian/shimx64.efi had the same sha1sum as /usr/lib/shim/shimx64.efi.signed * What was the outcome of this action? Booted again. Now my question is: Is it intended that the efi binaries in /boot/EFI/EFI/debian/ are not updated? Is this a bug or a feature? If there is an update from shim-signed do i need to run grub-install manually or should it update by the upgrade process? -- System Information: Debian Release: 12.8 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates-debug'), (500, 'proposed-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.1.0-28-amd64 (SMP w/16 CPU threads; PREEMPT) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages shim-signed depends on: ii grub-efi-amd64-bin 2.06-13+deb12u1 ii grub2-common 2.06-13+deb12u1 ii shim-helpers-amd64-signed 1+15.8+1~deb12u1 ii shim-signed-common 1.44~1+deb12u1+15.8-1~deb12u1 shim-signed recommends no packages. shim-signed suggests no packages. -- debconf information: shim/enable_secureboot: false shim/title/secureboot: shim/error/bad_secureboot_key: shim/error/secureboot_key_mismatch: * shim/secureboot_explanation: * shim/disable_secureboot: false