Bug#992073: shim-signed: restore arm64 support
On Tue, Oct 11, 2022 at 02:08:44AM +0100, Wookey wrote: >On 2022-06-28 15:18 +0100, Steve McIntyre wrote: >> On Tue, Jun 28, 2022 at 03:08:52PM +0100, Wookey wrote: > >> >Can we have a progress/blockers update? >> >> I'm currently testing builds of the latest shim release (15.6) on all >> 3 platforms (amd64, i386 and arm64). It now builds reproducibly on >> arm64, given a new enough toolchain, so I'll be marking this bug as >> closed when I upload. > >Where are we at with this bug? Mostly Steve trying to find enough tuit's I >suspect. > >Can I do anything to help things along? It's not currently blocking on me, but on getting a signed binary back from Microsoft. We've been hit by a sequence of issues around that, but it's in hand. Hoping to get something back in the next week or two. -- Steve McIntyre, Cambridge, UK.st...@einval.com “Rarely is anyone thanked for the work they did to prevent the disaster that didn’t happen.” -- Mikko Hypponen (https://twitter.com/mikko/)
Bug#992073: shim-signed: restore arm64 support
On 2022-06-28 15:18 +0100, Steve McIntyre wrote: > On Tue, Jun 28, 2022 at 03:08:52PM +0100, Wookey wrote: > >Can we have a progress/blockers update? > > I'm currently testing builds of the latest shim release (15.6) on all > 3 platforms (amd64, i386 and arm64). It now builds reproducibly on > arm64, given a new enough toolchain, so I'll be marking this bug as > closed when I upload. Where are we at with this bug? Mostly Steve trying to find enough tuit's I suspect. Can I do anything to help things along? Wookey -- Principal hats: Debian, Wookware, ARM http://wookware.org/ signature.asc Description: PGP signature
Bug#992073: shim-signed: restore arm64 support
On Tue, Jun 28, 2022 at 03:08:52PM +0100, Wookey wrote: >On 2022-04-27 13:40 +0100, Steve McIntyre wrote: >> I'm hacking on shim right now, setting up local CI etc. to help me >> with testing. As soon as I can validate that arm64 stuff is working >> correctly now, I'll take out the hacks I added. Give me a few days... > >Gentle prod Steve. > >I know how those 'few days' get interrupted. And the offer to help >remains, but it probably quicker for you to do this than explain to me >what I'd need to do :-) > >Can we have a progress/blockers update? I'm currently testing builds of the latest shim release (15.6) on all 3 platforms (amd64, i386 and arm64). It now builds reproducibly on arm64, given a new enough toolchain, so I'll be marking this bug as closed when I upload. -- Steve McIntyre, Cambridge, UK.st...@einval.com < Aardvark> I dislike C++ to start with. C++11 just seems to be handing rope-creating factories for users to hang multiple instances of themselves.
Bug#992073: shim-signed: restore arm64 support
On 2022-04-27 13:40 +0100, Steve McIntyre wrote: > I'm hacking on shim right now, setting up local CI etc. to help me > with testing. As soon as I can validate that arm64 stuff is working > correctly now, I'll take out the hacks I added. Give me a few days... Gentle prod Steve. I know how those 'few days' get interrupted. And the offer to help remains, but it probably quicker for you to do this than explain to me what I'd need to do :-) Can we have a progress/blockers update? Wookey -- Principal hats: Debian, Wookware, ARM http://wookware.org/ signature.asc Description: PGP signature
Bug#992073: shim-signed: restore arm64 support
On Wed, Apr 27, 2022 at 01:33:47PM +0100, Wookey wrote: >Binutils 2.38 now has proper PE/COFF output support for arm64. >(And is in unstable and testing.) >https://sourceware.org/pipermail/binutils/2022-February/119721.html > >I think this is the relevant bit: >"Support for efi-app-aarch64, efi-rtdrv-aarch64 and > efi-bsdrv-aarch64 has been added to objcopy in order to enable > UEFI development using binutils." > >So we should now be able to build shim-signed on arm64 without the >hackery that was previously used to simulate this format (and then had >to be disabled because it broke things (AIUI)). > >I'm not sure how much work this is or if anyone else is already >working on it? I presume it should be a simplification by removing >the previous workarounds and bulding just as we do on x86 now? > >Happy to have a look if someone gives me some pointers. (A look round >the package for an hour was not sufficient for me to work out how shim >itself or the various other bits is all put together (shim-signed, >shim-helpers--signed etc) and where it needs poking). I'm hacking on shim right now, setting up local CI etc. to help me with testing. As soon as I can validate that arm64 stuff is working correctly now, I'll take out the hacks I added. Give me a few days... -- Steve McIntyre, Cambridge, UK.st...@einval.com "The problem with defending the purity of the English language is that English is about as pure as a cribhouse whore. We don't just borrow words; on occasion, English has pursued other languages down alleyways to beat them unconscious and rifle their pockets for new vocabulary." -- James D. Nicoll
Bug#992073: shim-signed: restore arm64 support
Binutils 2.38 now has proper PE/COFF output support for arm64. (And is in unstable and testing.) https://sourceware.org/pipermail/binutils/2022-February/119721.html I think this is the relevant bit: "Support for efi-app-aarch64, efi-rtdrv-aarch64 and efi-bsdrv-aarch64 has been added to objcopy in order to enable UEFI development using binutils." So we should now be able to build shim-signed on arm64 without the hackery that was previously used to simulate this format (and then had to be disabled because it broke things (AIUI)). I'm not sure how much work this is or if anyone else is already working on it? I presume it should be a simplification by removing the previous workarounds and bulding just as we do on x86 now? Happy to have a look if someone gives me some pointers. (A look round the package for an hour was not sufficient for me to work out how shim itself or the various other bits is all put together (shim-signed, shim-helpers--signed etc) and where it needs poking). Wookey -- Principal hats: Debian, Wookware, ARM http://wookware.org/ signature.asc Description: PGP signature
Bug#992073: shim-signed: restore arm64 support
Hi, On 10-08-2021 19:02, Antonio Terceiro wrote: > As a data point, the Huawei cloud infra where ci.debian.net runs arm64 > workers (for arm*) does use Secure Boot on arm64, and applying security > updates broke our machines there. Just a proper follow-up. It seems we were hit by the inappropriate 1.36~1+deb10u1+15.4-5~deb10u1. This was possible because we used APT::Default-Release "buster" ; which *doesn't* include buster-updates, so the fixed package was prioritized *below* the broken one by APT. Upgrading a fresh VM with a fixed APT::Default-Release pulled in the fixed package from buster-updates and enabled the VM to reboot afterwards. So, Huawei doesn't seem to force Secure Boot on armd64 after all. Paul OpenPGP_signature Description: OpenPGP digital signature
Bug#992073: shim-signed: restore arm64 support
Package: shim-signed Version: 1.38+15.4-7 Severity: normal X-Debbugs-CC: debian...@lists.debian.org Hi, Thanks for you work on shim-signed. I have read both the package changelog and the NEWS file, and I understand the reason for dropping the signed shim support for arm64. I'm opening this bug to have a user-visible tracking of this issue. Quoting NEWS for the benefit of others find this bug: shim-signed (1.34) unstable; urgency=medium Debian no longer supports UEFI Secure Boot on arm64 systems Shim and other EFI programs have always been difficult to build on arm64, compared to x86 platforms. Binutils for amd64 and i386 includes explicit support for creating programs in the PE/COFF binary format that EFI uses, but this has never been added for arm64. In the past, shim developers added some local hacks into the shim package to generate a *mostly*-compliant PE/COFF EFI binary without this toolchain support, and that seemed to be sufficient for use. Everything seemed to work. *However*, during the development and testing phase of shim 15.3 and 15.4, we found significant issues with this approach. New security features needed in shim (SBAT) showed up severe problems with the lack of proper toolchain support. See https://github.com/rhboot/shim/issues/366 for more details. The old hacks around binutils are no longer sustainable. Statistics tell us that very few people have attempted to use arm64 Secure Boot with Debian so far. In the interests of releasing needed updates in a timely manner, we have decided *for the time being* to disable signed shim support for Debian arm64. We hope to re-introduce arm64 Secure Boot support as soon as possible in the future. As a data point, the Huawei cloud infra where ci.debian.net runs arm64 workers (for arm*) does use Secure Boot on arm64, and applying security updates broke our machines there. signature.asc Description: PGP signature
