Shim 15.4 current status and issues

Steve McIntyre steve at einval.com
Sun Apr 25 18:04:46 BST 2021 

Hey folks,

I've been adding links to the mailing list in some of the shim reviews
I've been working on. I'm hoping we'll get more people showing up here
to discuss things...

On Wed, Apr 21, 2021 at 10:00:03PM +0100, Steve McIntyre wrote:
>
>Shim 15.4 is released and is mostly good software. Like (just about!)
>all software, it has some bugs. Look in the shim issue tracker [1] for
>the known list. Not *all* of the issues listed there are necessarily
>serious, of course. At this point I believe we know of several that
>*are* likely to be important for many users, and Julian Andres Klode
>has helpfully added a pinned bug [2] in the shim-reviews issue tracker
>[3] with pointers to those issues.
>
>[1] https://github.com/rhboot/shim/issues
>[2] https://github.com/rhboot/shim-review/issues/165
>[3] https://github.com/rhboot/shim-review/issues
>
>Reproducing Julian's list here:
>
>Fatal issues:
>
>* rhboot/shim#364: fails to boot on older Macs, and other machines with EFI < 2: 
>* rhboot/shim#362: mokutil --disable-validation does not work: 
>* rhboot/shim#357: 32-bit Intel is broken: 
>* rhboot/shim#366: 64-bit ARM is broken: 

For information: Dmitri debugged some of #366 at the end of last
week. Older versions of binutils are still going to give broken shim
builds on arm64, but we now understand why newer toolchains are still
giving us unreproducible binaries. We're getting the build ID included
inside the binary too, and that's not staying constant from one
machine to the next.

>Is anybody aware of any other major problems affecting shim 15.4
>please? I'm about to check the fix for #362 and then start the release
>build process again for Debian. It would be nice to make some
>progress after multiple false starts. :-/

The fix for #362 verified fine here (yay!). I've not heard of any more
issues since this last mail, so we've submitted new builds (15.4-2 and
15.4-2~deb10u1) and people have reviewed and accepted them. Thanks!

I've just taken another pass through the open shim-review issues at

  https://github.com/rhboot/shim-review/issues

and I think most are in good shape. I've added some comments, accepted
Deepin's most recent update, etc. I've also tweaked the set of labels
that we're using there, to (hopefully!) make it easier to track how
the various submissions are doing. I've added an "extra review wanted"
label to those where I'd like to see another reviewer take a look -
please check those if you can.

Prompted by looking at a lot of reviews... Several of us will need to
update our fwupd builds to pull in the SBAT format fix, at the very
least (see v1.5.9).

-- 
Steve McIntyre, Cambridge, UK.                                steve at einval.com
"... the premise [is] that privacy is about hiding a wrong. It's not.
 Privacy is an inherent human right, and a requirement for maintaining
 the human condition with dignity and respect."
  -- Bruce Schneier

More information about the Efi mailing list