Hi Roman, On Sun, Jul 25, 2021 at 04:01:23PM +0500, Roman Mamedov wrote: >Package: shim-signed >Severity: grave > >Starting from 1.34~1+deb10u1 and its corresponding "***WARNING***", now the >arm64 shim "is no longer signed". > >As a result, after a mundane package upgrade and a reboot, all of my remote >arm64 machines do not boot anymore. I was not aware that the cloud provider >actually uses this "secure boot", else I'd pay more attention to that >"WARNING".
Which provider is using secure boot on arm64 at this point? I've not heard of any. Can you share details of package versions etc. for that please? >In any case, relying on the user reading upgrade notes, and then to scramble >rolling back the upgrade and holding the affected package ASAP, else the >system is bricked, is not a responsible package policy. > >I would humbly suggest that you kept the latest signed version frozen at least >in "buster" with no further updates, until the signing issue is resolved. Or >as of now, release another update with the signed version in place. Sorry, but that's not an option - the older version of shim left multiple high-security issues open, allowing people to easily break into a Secure Boot setup. -- Steve McIntyre, Cambridge, UK. st...@einval.com 'There is some grim amusement in watching Pence try to run the typical "politician in the middle of a natural disaster" playbook, however incompetently, while Trump scribbles all over it in crayon and eats some of the pages.' -- Russ Allbery
