Package: shim-signed Version: 1.36~1+15.4-5~deb10u1 Severity: grave Argh.
In pre-release testing I found problems with shim on signed versions of shim on arm64. The shim binary crashes very early (Synchronous Exception). Because of that problem, I took the hard decision to disable Secure Boot support for arm64 in Debian Buster until a solution could be found: https://wiki.debian.org/SecureBoot#arm64_problems In testing a new build to go into Buster, I found that non-signed versions were working fine on various machines. Unfortunately, it seems that the boot issues might be affected by environment. Trying the same binary build today as part of the 10.10 point release, booting an installer image crashes repeatably in a VM. It also seems that at least one of Debian's own arm64 hosts has been similarly affected. :-( Arm64 users are **strongly** advised to be careful about upgrading to the latest Buster point release (10.10). If upgrading immediately, it is recommended to disable remove shim-signed and reinstall GRUB on those systems to ensure that they will continue to boot: # apt-get remove shim-signed # dpkg --reconfigure grub-efi-amd64 and disable Secure Boot in their system firmware if it's enabled. I'm working on a more user-friendly fix now, and I hope to push it out via the Buster security archive shortly. This will still not be *working* Secure Boot for arm64, as we're still awaiting better toolchain support to make that work. -- System Information: Debian Release: 10.9 APT prefers stable-debug APT policy: (500, 'stable-debug'), (500, 'stable'), (500, 'oldstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-0.bpo.5-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_CPU_OUT_OF_SPEC Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages shim-signed depends on: ii grub-efi-amd64-bin 2.02+dfsg1-20+deb10u4 ii grub2-common 2.02+dfsg1-20+deb10u4 ii shim-helpers-amd64-signed 1+15.4+2~deb10u1 Versions of packages shim-signed recommends: pn secureboot-db <none> shim-signed suggests no packages. -- debconf information excluded