Bug#992073: marked as done (shim-signed: restore arm64 support)

To: Steve McIntyre <93sam@debian.org>
Subject: Bug#992073: marked as done (shim-signed: restore arm64 support)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Thu, 09 Mar 2023 01:21:11 +0000
Message-id: <[🔎] handler.992073.D992073.1678324760898331.ackdone@bugs.debian.org>
Reply-to: 992073@bugs.debian.org
References: <E1pa4w9-004Uux-Eq@fasolo.debian.org> <YRKxQNbBjyQWYf8+@debian.org>

Your message dated Thu, 09 Mar 2023 01:19:17 +0000
with message-id <E1pa4w9-004Uux-Eq@fasolo.debian.org>
and subject line Bug#992073: fixed in shim-signed 1.39
has caused the Debian Bug report #992073,
regarding shim-signed: restore arm64 support
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
992073: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992073
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: shim-signed: restore arm64 support
From: Antonio Terceiro <terceiro@debian.org>
Date: Tue, 10 Aug 2021 14:02:56 -0300
Message-id: <YRKxQNbBjyQWYf8+@debian.org>

Package: shim-signed
Version: 1.38+15.4-7
Severity: normal
X-Debbugs-CC: debian-ci@lists.debian.org

Hi,

Thanks for you work on shim-signed.

I have read both the package changelog and the NEWS file, and I
understand the reason for dropping the signed shim support for arm64.
I'm opening this bug to have a user-visible tracking of this issue.

Quoting NEWS for the benefit of others find this bug:

    shim-signed (1.34) unstable; urgency=medium

      Debian no longer supports UEFI Secure Boot on arm64 systems

      Shim and other EFI programs have always been difficult to build on
      arm64, compared to x86 platforms. Binutils for amd64 and i386
      includes explicit support for creating programs in the PE/COFF
      binary format that EFI uses, but this has never been added for
      arm64.

      In the past, shim developers added some local hacks into the shim
      package to generate a *mostly*-compliant PE/COFF EFI binary without
      this toolchain support, and that seemed to be sufficient for
      use. Everything seemed to work. *However*, during the development
      and testing phase of shim 15.3 and 15.4, we found significant
      issues with this approach. New security features needed in shim
      (SBAT) showed up severe problems with the lack of proper toolchain
      support. See https://github.com/rhboot/shim/issues/366 for more
      details. The old hacks around binutils are no longer sustainable.

      Statistics tell us that very few people have attempted to use arm64
      Secure Boot with Debian so far. In the interests of releasing needed
      updates in a timely manner, we have decided *for the time being* to
      disable signed shim support for Debian arm64.

      We hope to re-introduce arm64 Secure Boot support as soon as
      possible in the future.

As a data point, the Huawei cloud infra where ci.debian.net runs arm64
workers (for arm*) does use Secure Boot on arm64, and applying security
updates broke our machines there.

Attachment: signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

To: 992073-close@bugs.debian.org
Subject: Bug#992073: fixed in shim-signed 1.39
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Thu, 09 Mar 2023 01:19:17 +0000
Message-id: <E1pa4w9-004Uux-Eq@fasolo.debian.org>
Reply-to: Steve McIntyre <93sam@debian.org>

Source: shim-signed
Source-Version: 1.39
Done: Steve McIntyre <93sam@debian.org>

We believe that the bug you reported is fixed in the latest version of
shim-signed, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 992073@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve McIntyre <93sam@debian.org> (supplier of updated shim-signed package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 09 Mar 2023 00:58:53 +0000
Source: shim-signed
Architecture: source
Version: 1.39
Distribution: unstable
Urgency: medium
Maintainer: Debian EFI Team <debian-efi@lists.debian.org>
Changed-By: Steve McIntyre <93sam@debian.org>
Closes: 991478 992073 995940 1008942 1016280 1026415
Changes:
 shim-signed (1.39) unstable; urgency=medium
 .
   * Build against new signed binaries corresponding to 15.7-1
     + This syncs up build-deps again. Closes: #1016280
     + We now have arm64 signed shims again \o/
       Undo the hacky unsigned arm64 build
       Closes: #1008942, #992073, #991478
     Pulls multiple other bugfixes in for the signed version:
     + Make sbat_var.S parse right with buggy gcc/binutils
     + Enable NX support at build time, as required by policy for signing
       new shim binaries.
     + Fixes argument handling bug with some firmware implementations.
       Closes: #995940
   * Update build-dep on shim-unsigned to use 15.7-1
   * Block Debian grub binaries with sbat < 4 (see #1024617)
     + Update Depends on grub2-common to match.
   * postinst/postrm: make config_item() more robust
   * Add pt_BR translation, thanks to Paulo Henrique de Lima
     Santana. Closes: #1026415
   * Tweak dependencies
Checksums-Sha1:
 085f9aac0b4793b4427c28f400ad754d2428dbb2 1808 shim-signed_1.39.dsc
 55f4e78d1a3445dd8a8cbd6f469a099834cdd263 812660 shim-signed_1.39.tar.xz
 f2debc4b26a859222cfc4d901026e00b77a1bfb4 6087 shim-signed_1.39_source.buildinfo
Checksums-Sha256:
 737689a5b0f6479927c7e3edc06b065d06bb3a8526a8b9e03c094958af481b65 1808 shim-signed_1.39.dsc
 76a2b37953f7b91c69431ab8e9725643fd28b857573b1fff8264fb87e20b08bd 812660 shim-signed_1.39.tar.xz
 c312757d6c85f2d63007b9941550077eac38eab94a444b5989fd415dfe022936 6087 shim-signed_1.39_source.buildinfo
Files:
 41d437266aac919570597c981376deee 1808 utils optional shim-signed_1.39.dsc
 b0e69c929eb30472f402acb816c641f3 812660 utils optional shim-signed_1.39.tar.xz
 7bbb60b12068ac624c3470d689456f27 6087 utils optional shim-signed_1.39_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCAAvFiEEzrtSMB1hfpEDkP4WWHl5VzRCaE4FAmQJMGcRHDkzc2FtQGRl
Ymlhbi5vcmcACgkQWHl5VzRCaE5vJw/+JFK90D0vSEdXoTsq+ZzIav1FEb389neP
vuAYljPkorAraBppccN0dU1f6S4WuaCPW2wGHC5WFiwKudKXIT+Pb03vXxRAvRlQ
JVu49gJlbqbR69SKPFDgRGKI04i3W6X8TnJ/oP4nSdPAzarhoiYU0pRqlc9QJOXH
mtcPB+9OC95A3Zbk+mmia1CzKZWXnBKPTPeeB4c0we3lOi63LvNRnzoouPCMq3Fa
XU1i8opUrJ9PnHeE5tbaSzVSy9kQrvVbN+HX8GjdNzV9QVl1jYW1JVNDPp6WcsYE
svZ6kuW7Pl7kWLPp4uT5yhpq2uka0PNzBm9OP4gtvEiqADBklBnG2rEhnDEx/ULX
ZonH8Kp/z1oBYofNazxUO/qsVDP3geE5gFH4+j7AIIVrpOa1jAjp8yiHEVdKLgy6
qS4pYEgFFHVRswtWM8WP6LZq+UtvsZLLaIE4B0D1Q8EWFvRIHbhOjQhtyrswjtAF
++KOwrgTwkEQ5vNsxXgWFlfpAsbtJQguZCbbUMbyO5MU8EjbvC8nMoTg6EioSgmc
AnwnA25iNHSSW0/AeWHB5Xc908ZIQZQWtBEo0+OS4SpLV0q3yxpv07rktphtDYu9
dTuIY6RmZ6gmPGggvTnnI+Tv+jqoDLxQkqc67JUVwIkDKdYFuUmkGplMAB4fNTyW
90t5XIja4iI=
=BEuN
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Bug#995940: marked as done (Shim contains a bug that prevents me from installing Debian)
Next by Date: Processing of shim-signed_1.39_source.changes
Previous by thread: Bug#995940: marked as done (Shim contains a bug that prevents me from installing Debian)
Next by thread: shim-signed_1.39_source.changes ACCEPTED into unstable
Index(es):
- Date
- Thread