On 05/07/2024 02:20, Steve McIntyre wrote: ...
The thornier problem is the shim-signed that's in unstable right now. It hasn't migrated to testing yet (and won't without an unblock AFAICS), so there is a comparatively limited set of machines with it installed. I'm *tempted* to revert shim-signed and go back to using the previous 15.7 shim *for now* there. Then move forward to 15.8 again just before the point release.
> > How does that sound? Feedback welcome...
As far as I understood the documentation for SBAT [1][2], the SBAT mechanism is working as it is intended (i.e. blocking when the UEFI firmware somehow learns about revoked SBAT levels).
Debian will not be alone in increasing the shim SBAT level to 4, every distro that uses shim 15.8 (released 2024-01-23) will effectively block the current bookworm and bullseye bootable images. (With 'whohas', I've seen at least Gentoo and Ubuntu)
The error message 'Verifying shim SBAT data failed: Security Policy Violation' does not contain many details, and I expect that there will be several bug reports coming in, or frustrated users shying away from Debian.
Since the 12.7 release is currently being planned (second half of August), this leaves a window of about 6 to 8 weeks for incoming issues. The easiest short-term fix looks indeed to be a revert to 15.7, however, anyone using 1) sid, 2) secure boot UEFI and 3) unattended-upgrades since 2024-06-26 would find their computer to be unbootable, unless the revert can somehow reduce these SBAT levels to values that allow for a boot. (Or if that is not automatically possible, a NEWS entry might be required, prompting the user to do things manually)
Alternatively, the Debian installer images and live images could be re-generated to have the newer shim version patched in, to provide 12.6.1 versioned images (a kind of security update, that's what the third number was reserved for, isn't it?)
With kind regards, Roland Clobus [1] https://github.com/rhboot/shim/blob/main/SBAT.md [2] https://github.com/rhboot/shim/blob/main/SbatLevel_Variable.txt
OpenPGP_signature.asc
Description: OpenPGP digital signature
