Hi folks, In testing of the 10.10. point release over the weekend, we found a significant problem with shim-signed on arm64.
In pre-release testing I found problems with shim on signed versions of shim on arm64. The shim binary crashes very early (Synchronous Exception). Because of that problem, I took the hard decision to disable Secure Boot support for arm64 in Debian Buster until a solution could be found: https://wiki.debian.org/SecureBoot#arm64_problems In testing a new build to go into Buster, I found that non-signed versions were working fine on various machines. Unfortunately, it seems that the boot issues might be affected by environment. Trying the same binary build on Saturday as part of the 10.10 point release, booting an installer image crashes repeatably in a VM. It also seems that at least one of Debian's own arm64 hosts has been similarly affected. :-( Arm64 users are **strongly** advised to be careful about upgrading to the latest Buster point release (10.10). If upgrading immediately, it is recommended to disable remove shim-signed and reinstall GRUB on those systems to ensure that they will continue to boot: # apt-get remove shim-signed # dpkg --reconfigure grub-efi-amd64 and disable Secure Boot in their system firmware if it's enabled. I'm working on a more user-friendly fix now, and I hope to push it out via the buster-updates archive shortly. This will still not be *working* Secure Boot for arm64, as we're still awaiting better toolchain support to make that work. -- Steve McIntyre, Cambridge, UK. [email protected] "...In the UNIX world, people tend to interpret `non-technical user' as meaning someone who's only ever written one device driver." -- Daniel Pead
