Shim 15.4 current status and issues

Steve McIntyre steve at einval.com
Wed Apr 21 22:00:03 BST 2021 

[ Mail sent to the EFI list and in BCC to others who I believe may be
  interested. Apologies if you're not interested or if you receive
  more than one copy... Please sign up to the EFI list if you haven't
  already: https://lists.einval.com/cgi-bin/mailman/listinfo/efi ]

Hi folks!

Shim 15.4 is released and is mostly good software. Like (just about!)
all software, it has some bugs. Look in the shim issue tracker [1] for
the known list. Not *all* of the issues listed there are necessarily
serious, of course. At this point I believe we know of several that
*are* likely to be important for many users, and Julian Andres Klode
has helpfully added a pinned bug [2] in the shim-reviews issue tracker
[3] with pointers to those issues.

[1] https://github.com/rhboot/shim/issues
[2] https://github.com/rhboot/shim-review/issues/165
[3] https://github.com/rhboot/shim-review/issues

Reproducing Julian's list here:

Fatal issues:

* rhboot/shim#364: fails to boot on older Macs, and other machines with EFI < 2: 
* rhboot/shim#362: mokutil --disable-validation does not work: 
* rhboot/shim#357: 32-bit Intel is broken: 
* rhboot/shim#366: 64-bit ARM is broken: 

Unknown extent:

* rhboot/shim#361: produces kernel errors: 

I think we currently have working patches for 4 of these 5 issues (all
expect arm64 support).

In order:

#364 I've tested and confirmed this locally on one of my test machines
     (Core 2 Duo iMac6,1). The patch in the PR works for me.

#362 I've not *yet* personally tested the effects of #362 and the fix
     yet - has anybody else? It's already merged into the main
     branch. (https://github.com/rhboot/shim/commit/822d07ad4f07ef66fe447a130e1027c88d02a394)
     I'm about to play with it now,

#357 Anybody building an ia32/i386 shim *will* need the patch here -
     it's an obvious breakage. Already merged into main
     (https://github.com/rhboot/shim/commit/5b3ca0d2f7b5f425ba1a14db8ce98b8d95a2f89f)

#366 I think this is a deal-breaker for arm64/aarch64 at this
     point. I've decided to abandon arm64 Secure Boot support in
     Debian for now due to this issue...

#361 Again, this looks like an obvious fix and is already in the main
     branch (https://github.com/rhboot/shim/commit/4068fd42c891ea6ebdec056f461babc6e4048844)

We've also heard of some potential booting problems on older x86-64
Thinkpad models (e.g. T420) in testing by Ubuntu people. We're waiting
on more information about that.

Is anybody aware of any other major problems affecting shim 15.4
please? I'm about to check the fix for #362 and then start the release
build process again for Debian. It would be nice to make some
progress after multiple false starts. :-/

-- 
Steve McIntyre, Cambridge, UK.                                steve at einval.com
< sladen> I actually stayed in a hotel and arrived to find a post-it
          note stuck to the mini-bar saying "Paul: This fridge and
          fittings are the correct way around and do not need altering"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.einval.com/pipermail/efi/attachments/20210421/17ee7a3f/attachment.sig>

More information about the Efi mailing list