Hi Georg, On Fri, Nov 29, 2024 at 05:51:43PM +0100, Georg Gast wrote: >Package: shim-signed >Version: 1.44~1+deb12u1+15.8-1~deb12u1 >Severity: normal > >Dear Maintainer, > >*** Reporter, please consider answering these questions, where appropriate *** > > * What led up to the situation? >Since about 2 years i run my amd64 debian/bookworm with secureboot enabled. >Some time ago my PC could not boot anymore as the secureboot let not start >shimx64.efi anymore from by debian entry in UEFI. > > * What exactly did you do (or not do) that was effective (or > ineffective)? >I disabled secureboot in my UEFI and it booted again. For about three month i >didnt care too much. Now i read about the bootkit.efi and i wanted to reenable >it. >Checked the sha1sums from the installed efi binaries in /boot/EFI/EFI/debian > >sha1sum /boot/EFI/EFI/debian/shimx64.efi >3dd4abb9f7af061c1a7916f9c31f9e5d0be5558a /boot/EFI/EFI/debian/shimx64.efi > >This were the sha1sums from the installed shim-signed >sha1sum /usr/lib/shim/shimx64.efi* >b3ad049321cfbafe24ad16ba26cd38693ac4a34c /usr/lib/shim/shimx64.efi >52f4735800ff01fb526a23e309a3bf3bf0d9b7b4 /usr/lib/shim/shimx64.efi.signed > >At this stage i run grub-install (as root) and /boot/EFI/EFI/debian/shimx64.efi >had the same sha1sum as /usr/lib/shim/shimx64.efi.signed > > * What was the outcome of this action? >Booted again. > >Now my question is: Is it intended that the efi binaries in >/boot/EFI/EFI/debian/ are not updated? Is this a bug or a feature? If there is >an update from shim-signed do i need to run grub-install manually or should it >update by the upgrade process?
This should all work automatically for you, assuming you have appropriate packages installed. Could you please run the following and show us the output? $ dpkg -l 'grub*' 'shim*' -- Steve McIntyre, Cambridge, UK. st...@einval.com We don't need no education. We don't need no thought control.
