Bug#990158: shim-signed-common: No UEFI boot with error "Could not create MokListXRT"
On Tue, Jun 22, 2021 at 11:47:22AM +0200, Ayke Halder wrote: >> On Mon, Jun 21, 2021 at 09:00:15PM +0200, Ayke Halder wrote: >> > Package: shim-signed-common >> > Version: 1.33+15+1533136590.3beb971-7 >> > Severity: critical >> > Justification: breaks the whole system >> > >> > Dear Maintainer, >> > >> > ## What led up to the situation? >> > >> > Upgrade: >> > >> > * shim-signed:amd64 (1.33+15+1533136590.3beb971-7, >> > 1.36~1+deb10u1+15.4-5~deb10u1) >> > * shim-signed-common:amd64 (1.33+15+1533136590.3beb971-7, >> > 1.36~1+deb10u1+15.4-5~deb10u1) >> > >> > System: Dell T5600 with BIOS Revision A19 >> > >> > >> > ## What was the outcome of this action? >> > >> > System is unbootable on booting via UEFI. System shows error message and >> > then >> > powers off immediately: >> > >> > "Could not create MokListXRT: Out of Resources >> > Something has gone seriously wrong: import_mok_state() failed: Out of >> > Resources" >> > >> > >> > ## What outcome did you expect instead? >> > >> > A normal booting system loading GRUB. >> > >> > >> > ## Also reproducible with Debian Live-Installations-Image >> > >> > On affected hardware like "Dell T5600" doing a UEFI boot from USB with … >> > >> > * debian-live-10.10.0-amd64-standard.iso does *not* work. >> > * debian-live-10.9.0-amd64-standard.iso works. >> > >> > >> > ## Related resources >> > >> > Might be related to: >> > >> > * https://bugzilla.suse.com/show_bug.cgi?id=1185261 >> Yes, it looks like exactly the same problem. :-( >> >> Several of the shim maintainers in various distributions are now >> seeing reports like this. It seems that lots of machines are short of >> space to store the new MokListXRT variable. Since the buster update >> this weekend, yours is the second problem report I've seen. >> >> Ubuntu have a patch to disable the variable mirroring here. I was not >> expecting we'd need it, but it looks like I was wrong. >> >> In terms of making your system boot, I'd suggest temporarily one of: >> >> * switch back to an older shim-signed package >> * disable Secure Boot and remove shim-signed >> > >I switched back to an older package of shim-signed and shim-signed-common. ACK, that's the best thing for now. >One caveat: >I could not get the older package version via the official package repository >anymore. Luckily I still had a copy of the old package in a local repository >mirror. OK. There's one thing I possibly should have mentioned here, then! https://snapshot.debian.org/ carries ~all the packages that are ever uploaded to Debian, so you should almost always be able to find older packages there. I use it quite frequently as a developer, but I guess it's not so well know amongst users! -- Steve McIntyre, Cambridge, UK.st...@einval.com "I suspect most samba developers are already technically insane... Of course, since many of them are Australians, you can't tell." -- Linus Torvalds
Bug#990158: shim-signed-common: No UEFI boot with error "Could not create MokListXRT"
Hi Ayke, Thanks for your bug report, and apologies for the problem :-/ On Mon, Jun 21, 2021 at 09:00:15PM +0200, Ayke Halder wrote: >Package: shim-signed-common >Version: 1.33+15+1533136590.3beb971-7 >Severity: critical >Justification: breaks the whole system > >Dear Maintainer, > >## What led up to the situation? > >Upgrade: > >* shim-signed:amd64 (1.33+15+1533136590.3beb971-7, >1.36~1+deb10u1+15.4-5~deb10u1) >* shim-signed-common:amd64 (1.33+15+1533136590.3beb971-7, >1.36~1+deb10u1+15.4-5~deb10u1) > >System: Dell T5600 with BIOS Revision A19 > > >## What was the outcome of this action? > >System is unbootable on booting via UEFI. System shows error message and then >powers off immediately: > >"Could not create MokListXRT: Out of Resources >Something has gone seriously wrong: import_mok_state() failed: Out of >Resources" > > >## What outcome did you expect instead? > >A normal booting system loading GRUB. > > >## Also reproducible with Debian Live-Installations-Image > >On affected hardware like "Dell T5600" doing a UEFI boot from USB with … > >* debian-live-10.10.0-amd64-standard.iso does *not* work. >* debian-live-10.9.0-amd64-standard.iso works. > > >## Related resources > >Might be related to: > >* https://bugzilla.suse.com/show_bug.cgi?id=1185261 Yes, it looks like exactly the same problem. :-( Several of the shim maintainers in various distributions are now seeing reports like this. It seems that lots of machines are short of space to store the new MokListXRT variable. Since the buster update this weekend, yours is the second problem report I've seen. Ubuntu have a patch to disable the variable mirroring here. I was not expecting we'd need it, but it looks like I was wrong. In terms of making your system boot, I'd suggest temporarily one of: * switch back to an older shim-signed package * disable Secure Boot and remove shim-signed -- Steve McIntyre, Cambridge, UK.st...@einval.com "We're the technical experts. We were hired so that management could ignore our recommendations and tell us how to do our jobs." -- Mike Andrews
Bug#990158: shim-signed-common: No UEFI boot with error "Could not create MokListXRT"
Package: shim-signed-common Version: 1.33+15+1533136590.3beb971-7 Severity: critical Justification: breaks the whole system Dear Maintainer, ## What led up to the situation? Upgrade: * shim-signed:amd64 (1.33+15+1533136590.3beb971-7, 1.36~1+deb10u1+15.4-5~deb10u1) * shim-signed-common:amd64 (1.33+15+1533136590.3beb971-7, 1.36~1+deb10u1+15.4-5~deb10u1) System: Dell T5600 with BIOS Revision A19 ## What was the outcome of this action? System is unbootable on booting via UEFI. System shows error message and then powers off immediately: "Could not create MokListXRT: Out of Resources Something has gone seriously wrong: import_mok_state() failed: Out of Resources" ## What outcome did you expect instead? A normal booting system loading GRUB. ## Also reproducible with Debian Live-Installations-Image On affected hardware like "Dell T5600" doing a UEFI boot from USB with … * debian-live-10.10.0-amd64-standard.iso does *not* work. * debian-live-10.9.0-amd64-standard.iso works. ## Related resources Might be related to: * https://bugzilla.suse.com/show_bug.cgi?id=1185261 -- System Information: Debian Release: 10.10 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-0.bpo.7-amd64 (SMP w/32 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages shim-signed-common depends on: ii debconf [debconf-2.0] 1.5.71 ii mokutil0.3.0+1538710437.fb6250f-1 shim-signed-common recommends no packages. shim-signed-common suggests no packages. -- debconf information: shim/title/secureboot: shim/error/secureboot_key_mismatch: shim/secureboot_explanation: shim/error/bad_secureboot_key: shim/disable_secureboot: true shim/enable_secureboot: false
