On Tue, Jun 22, 2021 at 11:47:22AM +0200, Ayke Halder wrote: >> On Mon, Jun 21, 2021 at 09:00:15PM +0200, Ayke Halder wrote: >> > Package: shim-signed-common >> > Version: 1.33+15+1533136590.3beb971-7 >> > Severity: critical >> > Justification: breaks the whole system >> > >> > Dear Maintainer, >> > >> > ## What led up to the situation? >> > >> > Upgrade: >> > >> > * shim-signed:amd64 (1.33+15+1533136590.3beb971-7, >> > 1.36~1+deb10u1+15.4-5~deb10u1) >> > * shim-signed-common:amd64 (1.33+15+1533136590.3beb971-7, >> > 1.36~1+deb10u1+15.4-5~deb10u1) >> > >> > System: Dell T5600 with BIOS Revision A19 >> > >> > >> > ## What was the outcome of this action? >> > >> > System is unbootable on booting via UEFI. System shows error message and >> > then >> > powers off immediately: >> > >> > "Could not create MokListXRT: Out of Resources >> > Something has gone seriously wrong: import_mok_state() failed: Out of >> > Resources" >> > >> > >> > ## What outcome did you expect instead? >> > >> > A normal booting system loading GRUB. >> > >> > >> > ## Also reproducible with Debian Live-Installations-Image >> > >> > On affected hardware like "Dell T5600" doing a UEFI boot from USB with … >> > >> > * debian-live-10.10.0-amd64-standard.iso does *not* work. >> > * debian-live-10.9.0-amd64-standard.iso works. >> > >> > >> > ## Related resources >> > >> > Might be related to: >> > >> > * https://bugzilla.suse.com/show_bug.cgi?id=1185261 >> Yes, it looks like exactly the same problem. :-( >> >> Several of the shim maintainers in various distributions are now >> seeing reports like this. It seems that lots of machines are short of >> space to store the new MokListXRT variable. Since the buster update >> this weekend, yours is the second problem report I've seen. >> >> Ubuntu have a patch to disable the variable mirroring here. I was not >> expecting we'd need it, but it looks like I was wrong. >> >> In terms of making your system boot, I'd suggest temporarily one of: >> >> * switch back to an older shim-signed package >> * disable Secure Boot and remove shim-signed >> > >I switched back to an older package of shim-signed and shim-signed-common.
ACK, that's the best thing for now. >One caveat: >I could not get the older package version via the official package repository >anymore. Luckily I still had a copy of the old package in a local repository >mirror. OK. There's one thing I possibly should have mentioned here, then! https://snapshot.debian.org/ carries ~all the packages that are ever uploaded to Debian, so you should almost always be able to find older packages there. I use it quite frequently as a developer, but I guess it's not so well know amongst users! -- Steve McIntyre, Cambridge, UK. st...@einval.com "I suspect most samba developers are already technically insane... Of course, since many of them are Australians, you can't tell." -- Linus Torvalds
