Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1024395: grub-efi-amd64-signed: after upgrade to 1+2.06+5 I get errors when booting (although I manage to boot)
215 views
Skip to first unread message
Eric Valette
Nov 18, 2022, 1:40:03 PM11/18/22
to
Package: grub-efi-amd64-bin
Version: 1+2.06+5
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <te...@security.debian.org>
After upgrade to 2.06-5, I get an error message "prohibited by secure boot policy" and it boot
with a strange look with \xe7caracaters instead of lines.
I build my own kernel and enrolled my owns keys, sign the linux kernel binarry and the mdoules with the keys.
Everythong was working fine with 2.06-3.
I also noticed that my enrolled keys is no more listed via "mokutil --list-enrolled". Although no key were cleared.
-- System Information:
Debian Release: bookworm/sid
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'unstable'), (500, 'testing'), (1, 'experimental')
merged-usr: no
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.155 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF8, LC_CTYPE=fr_FR.UTF8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
Versions of packages grub-efi-amd64-signed depends on:
ii grub-common 2.06-5
Versions of packages grub-efi-amd64-signed recommends:
ii shim-signed 1.38+15.4-7
grub-efi-amd64-signed suggests no packages.
Versions of packages grub-efi-amd64-bin depends on:
ii grub-common 2.06-5
Versions of packages grub-efi-amd64-bin recommends:
ii efibootmgr 17-1
-- no debconf information
Version: 1+2.06+5
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: Debian Security Team <te...@security.debian.org>
After upgrade to 2.06-5, I get an error message "prohibited by secure boot policy" and it boot
with a strange look with \xe7caracaters instead of lines.
I build my own kernel and enrolled my owns keys, sign the linux kernel binarry and the mdoules with the keys.
Everythong was working fine with 2.06-3.
I also noticed that my enrolled keys is no more listed via "mokutil --list-enrolled". Although no key were cleared.
-- System Information:
Debian Release: bookworm/sid
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'unstable'), (500, 'testing'), (1, 'experimental')
merged-usr: no
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.155 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF8, LC_CTYPE=fr_FR.UTF8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
Versions of packages grub-efi-amd64-signed depends on:
ii grub-common 2.06-5
Versions of packages grub-efi-amd64-signed recommends:
ii shim-signed 1.38+15.4-7
grub-efi-amd64-signed suggests no packages.
Versions of packages grub-efi-amd64-bin depends on:
ii grub-common 2.06-5
Versions of packages grub-efi-amd64-bin recommends:
ii efibootmgr 17-1
-- no debconf information
Eric Valette
Nov 18, 2022, 5:10:03 PM11/18/22
to
dpkg -s shim-signed
Package: shim-signed
Status: install ok installed
Priority: optional
Section: utils
Installed-Size: 937
Maintainer: Debian EFI Team <debia...@lists.debian.org>
Architecture: amd64
Multi-Arch: same
Source: shim-signed (1.38)
Version: 1.38+15.4-7
Depends: shim-signed-common (>= 1.38+15.4-7), grub-efi-amd64-bin,
shim-helpers-amd64-signed (>= 1+15.4+2), grub2-common (>= 2.02+dfsg1-16)
Recommends: secureboot-db
Description: Secure Boot chain-loading bootloader (Microsoft-signed binary)
This package provides a minimalist boot loader which allows verifying
signatures of other UEFI binaries against either the Secure Boot DB/DBX or
against a built-in signature database. Its purpose is to allow a small,
infrequently-changing binary to be signed by the UEFI CA, while allowing
an OS distributor to revision their main bootloader independently of
the CA.
.
This package contains the version of the bootloader binary signed by the
Microsoft UEFI CA.
Built-Using: shim (= 15.4-7)
dpkg -s shim-helpers-amd64-signed
Package: shim-helpers-amd64-signed
Status: install ok installed
Priority: optional
Section: admin
Installed-Size: 934
Maintainer: Debian EFI team <debia...@lists.debian.org>
Architecture: amd64
Version: 1+15.6+1
Replaces: shim (<< 15+1533136590.3beb971-3~), shim-signed (<< 1.29)
Depends: shim-unsigned (>= 15.6-1)
Breaks: shim-signed (<< 1.29)
Conflicts: shim (<< 15+1533136590.3beb971-3~)
Description: boot loader to chain-load signed boot loaders (signed by
Debian)
This package provides a minimalist boot loader which allows verifying
signatures of other UEFI binaries against either the Secure Boot DB/DBX or
against a built-in signature database. Its purpose is to allow a small,
infrequently-changing binary to be signed by the UEFI CA, while allowing
an OS distributor to revision their main bootloader independently of
the CA.
.
This package contains the MOK manager and fall-back manager signed by the
Debian UEFI CA to be used by shim-signed.
Built-Using: shim (= 15.6-1)
-- eric
Package: shim-signed
Status: install ok installed
Priority: optional
Section: utils
Installed-Size: 937
Maintainer: Debian EFI Team <debia...@lists.debian.org>
Architecture: amd64
Multi-Arch: same
Source: shim-signed (1.38)
Version: 1.38+15.4-7
Depends: shim-signed-common (>= 1.38+15.4-7), grub-efi-amd64-bin,
shim-helpers-amd64-signed (>= 1+15.4+2), grub2-common (>= 2.02+dfsg1-16)
Recommends: secureboot-db
Description: Secure Boot chain-loading bootloader (Microsoft-signed binary)
This package provides a minimalist boot loader which allows verifying
signatures of other UEFI binaries against either the Secure Boot DB/DBX or
against a built-in signature database. Its purpose is to allow a small,
infrequently-changing binary to be signed by the UEFI CA, while allowing
an OS distributor to revision their main bootloader independently of
the CA.
.
This package contains the version of the bootloader binary signed by the
Microsoft UEFI CA.
Built-Using: shim (= 15.4-7)
dpkg -s shim-helpers-amd64-signed
Package: shim-helpers-amd64-signed
Status: install ok installed
Priority: optional
Section: admin
Installed-Size: 934
Maintainer: Debian EFI team <debia...@lists.debian.org>
Architecture: amd64
Version: 1+15.6+1
Replaces: shim (<< 15+1533136590.3beb971-3~), shim-signed (<< 1.29)
Depends: shim-unsigned (>= 15.6-1)
Breaks: shim-signed (<< 1.29)
Conflicts: shim (<< 15+1533136590.3beb971-3~)
Description: boot loader to chain-load signed boot loaders (signed by
Debian)
This package provides a minimalist boot loader which allows verifying
signatures of other UEFI binaries against either the Secure Boot DB/DBX or
against a built-in signature database. Its purpose is to allow a small,
infrequently-changing binary to be signed by the UEFI CA, while allowing
an OS distributor to revision their main bootloader independently of
the CA.
.
This package contains the MOK manager and fall-back manager signed by the
Debian UEFI CA to be used by shim-signed.
Built-Using: shim (= 15.6-1)
-- eric
Eric Valette
Nov 26, 2022, 6:50:03 AM11/26/22
to
I tested with 6.0.0-4-amd kernel version, and there mokutil
--list-enrolled works.
So either it is a missing config item in my own generated kernel (what
is needed beside all *EFI* config items, something in keyring or crypto
algo?) or a kernel incompatibilty (5.10.155).
But that has nothing to do with the grub bug it is just for the sake of
completeness
-- eric
--list-enrolled works.
So either it is a missing config item in my own generated kernel (what
is needed beside all *EFI* config items, something in keyring or crypto
algo?) or a kernel incompatibilty (5.10.155).
But that has nothing to do with the grub bug it is just for the sake of
completeness
-- eric
Eric Valette
Nov 26, 2022, 11:50:03 AM11/26/22
to
CONFIG_INTEGRITY_PLATFORM_KEYRING=y
But the bug is still there
-- eric
But the bug is still there
-- eric
Garrett McLean
Dec 1, 2022, 4:30:04 PM12/1/22
to
Package: grub-efi-amd64-bin
Version: 1+2.06+3~deb11u4
Followup-For: Bug #1024395
X-Debbugs-Cc: te...@security.debian.org
Wanted to update and say that even with sb enabled, mok doesn't show up
with mokutil --list-enrolled. In my case this may be because mokutil
doesn't work with my mobo (ASUS X99-Deluxe/U3.1) and I had to manually
add my mok in BIOS settings.
Hopefully this info is useful. It seems superfluous but I'm including it
just in case.
-- System Information:
Debian Release: 11.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-19-amd64 (SMP w/12 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages grub-efi-amd64-signed depends on:
ii grub-common 2.06-3~deb11u4
Versions of packages grub-efi-amd64-signed recommends:
ii shim-signed 1.38+15.4-7
grub-efi-amd64-signed suggests no packages.
Versions of packages grub-efi-amd64-bin depends on:
ii grub-common 2.06-3~deb11u4
Version: 1+2.06+3~deb11u4
Followup-For: Bug #1024395
X-Debbugs-Cc: te...@security.debian.org
Wanted to update and say that even with sb enabled, mok doesn't show up
with mokutil --list-enrolled. In my case this may be because mokutil
doesn't work with my mobo (ASUS X99-Deluxe/U3.1) and I had to manually
add my mok in BIOS settings.
Hopefully this info is useful. It seems superfluous but I'm including it
just in case.
-- System Information:
Debian Release: 11.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-19-amd64 (SMP w/12 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages grub-efi-amd64-signed depends on:
Versions of packages grub-efi-amd64-signed recommends:
ii shim-signed 1.38+15.4-7
grub-efi-amd64-signed suggests no packages.
Versions of packages grub-efi-amd64-bin depends on:
Steve McIntyre
Dec 3, 2022, 11:30:03 AM12/3/22
to
On Sat, Nov 26, 2022 at 05:38:58PM +0100, Eric Valette wrote:
>CONFIG_INTEGRITY_PLATFORM_KEYRING=y
>
>But the bug is still there
*which* bug - the missing key, or the font issue?
>CONFIG_INTEGRITY_PLATFORM_KEYRING=y
>
>But the bug is still there
--
Steve McIntyre, Cambridge, UK. st...@einval.com
< liw> everything I know about UK hotels I learned from "Fawlty Towers"
Éric Valette
Dec 3, 2022, 12:00:04 PM12/3/22
to
The error and font issue. The fact that shim-signed has a différent version than the helper part also.
The CONFIG_INTEGRITY_PLATFORM_KEYRING
Fixes my mokutil --list-enrolled problem
3 déc. 2022 17:24:10 Steve McIntyre <st...@einval.com>:
The CONFIG_INTEGRITY_PLATFORM_KEYRING
Fixes my mokutil --list-enrolled problem
3 déc. 2022 17:24:10 Steve McIntyre <st...@einval.com>:
Steve McIntyre
Dec 3, 2022, 2:10:04 PM12/3/22
to
On Sat, Dec 03, 2022 at 05:49:11PM +0100, Éric Valette wrote:
>The error and font issue. The fact that shim-signed has a différent version than the helper part also.
>
>The CONFIG_INTEGRITY_PLATFORM_KEYRING
>
>Fixes my mokutil --list-enrolled problem
Cool, thanks for confirming that.
>The error and font issue. The fact that shim-signed has a différent version than the helper part also.
>
>The CONFIG_INTEGRITY_PLATFORM_KEYRING
>
>Fixes my mokutil --list-enrolled problem
I'm hoping to get the font thing fixed soon.
"Every time you use Tcl, God kills a kitten." -- Malcolm Ray
Eric Valette
Dec 5, 2022, 12:00:04 PM12/5/22
to
I had the previous version 2.06-5 on a laptop, and it was not affected
by the bug, Only my very old Desktop was.
As the bug was closed, I did install 2.06-6 on my laptop (or at least
the composant actually upgraded) and now it also fails on my laptop with
same error than on my desktop.
I now have apparently several grub version flavors and several shim
version flavor:
15.4 for shim-signed:amd64 and shim-signed-common and 15.6 for
shim-helpers-amd64-signed and shim-unsigned
And for grub, I have 2.06-6 except for the important part :
grub-efi-amd64-signed that is still at 2.06-5.
dpkg -l shim*
Desired=Unknown/Install/Remove/Purge/Hold
|
Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-=========================-============-============-================================================================
un shim <none> <none> (no description
available)
hi shim-helpers-amd64-signed 1+15.6+1 amd64 boot loader to
chain-loading bootloader (Microsoft-signed binary)
hi shim-signed-common 1.38+15.4-7 all Secure Boot
chain-loading bootloader (common helper scripts)
hi shim-unsigned 15.6-1 amd64 boot loader to
chain-load signed boot loaders under Secure Boot
root@xxxx:~# dpkg -l grub*
Desired=Unknown/Install/Remove/Purge/Hold
|
Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-=====================-============-============-=================================================================
un grub <none> <none> (no description
available)
un grub-cloud-amd64 <none> <none> (no description
available)
hi grub-common 2.06-6 amd64 GRand Unified
Bootloader (common files)
un grub-coreboot <none> <none> (no description
available)
un grub-doc <none> <none> (no description
available)
hi grub-efi 2.06-6 amd64 GRand Unified
Bootloader, version 2 (dummy package)
hi grub-efi-amd64 2.06-6 amd64 GRand Unified
Bootloader, version 2 (EFI-AMD64 version)
hi grub-efi-amd64-bin 2.06-6 amd64 GRand Unified
Bootloader, version 2 (EFI-AMD64 modules)
hi grub-efi-amd64-signed 1+2.06+5 amd64 GRand Unified
Bootloader, version 2 (amd64 UEFI signed by Debian)
un grub-efi-arm <none> <none> (no description
available)
un grub-efi-arm64 <none> <none> (no description
available)
un grub-efi-ia32 <none> <none> (no description
available)
un grub-efi-ia64 <none> <none> (no description
available)
un grub-emu <none> <none> (no description
available)
un grub-ieee1275 <none> <none> (no description
available)
un grub-legacy <none> <none> (no description
available)
un grub-legacy-doc <none> <none> (no description
available)
un grub-linuxbios <none> <none> (no description
available)
un grub-pc <none> <none> (no description
available)
hi grub-pc-bin 2.06-6 amd64 GRand Unified
Bootloader, version 2 (PC/BIOS modules)
un grub-uboot <none> <none> (no description
available)
un grub-xen <none> <none> (no description
available)
un grub-yeeloong <none> <none> (no description
available)
un grub2 <none> <none> (no description
available)
hi grub2-common 2.06-6 amd64 GRand Unified
Bootloader (common files for version 2)
root@xxxx:~#
-- eric
by the bug, Only my very old Desktop was.
As the bug was closed, I did install 2.06-6 on my laptop (or at least
the composant actually upgraded) and now it also fails on my laptop with
same error than on my desktop.
I now have apparently several grub version flavors and several shim
version flavor:
15.4 for shim-signed:amd64 and shim-signed-common and 15.6 for
shim-helpers-amd64-signed and shim-unsigned
And for grub, I have 2.06-6 except for the important part :
grub-efi-amd64-signed that is still at 2.06-5.
dpkg -l shim*
Desired=Unknown/Install/Remove/Purge/Hold
|
Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-=========================-============-============-================================================================
un shim <none> <none> (no description
available)
hi shim-helpers-amd64-signed 1+15.6+1 amd64 boot loader to
chain-load signed boot loaders (signed by Debian)
hi shim-signed:amd64 1.38+15.4-7 amd64 Secure Boot
chain-loading bootloader (Microsoft-signed binary)
hi shim-signed-common 1.38+15.4-7 all Secure Boot
chain-loading bootloader (common helper scripts)
hi shim-unsigned 15.6-1 amd64 boot loader to
chain-load signed boot loaders under Secure Boot
root@xxxx:~# dpkg -l grub*
Desired=Unknown/Install/Remove/Purge/Hold
|
Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-=====================-============-============-=================================================================
un grub <none> <none> (no description
available)
un grub-cloud-amd64 <none> <none> (no description
available)
hi grub-common 2.06-6 amd64 GRand Unified
Bootloader (common files)
un grub-coreboot <none> <none> (no description
available)
un grub-doc <none> <none> (no description
available)
hi grub-efi 2.06-6 amd64 GRand Unified
Bootloader, version 2 (dummy package)
hi grub-efi-amd64 2.06-6 amd64 GRand Unified
Bootloader, version 2 (EFI-AMD64 version)
hi grub-efi-amd64-bin 2.06-6 amd64 GRand Unified
Bootloader, version 2 (EFI-AMD64 modules)
hi grub-efi-amd64-signed 1+2.06+5 amd64 GRand Unified
Bootloader, version 2 (amd64 UEFI signed by Debian)
un grub-efi-arm <none> <none> (no description
available)
un grub-efi-arm64 <none> <none> (no description
available)
un grub-efi-ia32 <none> <none> (no description
available)
un grub-efi-ia64 <none> <none> (no description
available)
un grub-emu <none> <none> (no description
available)
un grub-ieee1275 <none> <none> (no description
available)
un grub-legacy <none> <none> (no description
available)
un grub-legacy-doc <none> <none> (no description
available)
un grub-linuxbios <none> <none> (no description
available)
un grub-pc <none> <none> (no description
available)
hi grub-pc-bin 2.06-6 amd64 GRand Unified
Bootloader, version 2 (PC/BIOS modules)
un grub-uboot <none> <none> (no description
available)
un grub-xen <none> <none> (no description
available)
un grub-yeeloong <none> <none> (no description
available)
un grub2 <none> <none> (no description
available)
hi grub2-common 2.06-6 amd64 GRand Unified
Bootloader (common files for version 2)
root@xxxx:~#
-- eric
Steve McIntyre
Dec 5, 2022, 12:10:03 PM12/5/22
to
On Mon, Dec 05, 2022 at 05:55:13PM +0100, Eric Valette wrote:
>I had the previous version 2.06-5 on a laptop, and it was not affected by the
>bug, Only my very old Desktop was.
>
>As the bug was closed, I did install 2.06-6 on my laptop (or at least the
>composant actually upgraded) and now it also fails on my laptop with same
>error than on my desktop.
>
>I now have apparently several grub version flavors and several shim version
>flavor:
>
>15.4 for shim-signed:amd64 and shim-signed-common and 15.6 for
>shim-helpers-amd64-signed and shim-unsigned
>
>And for grub, I have 2.06-6 except for the important part :
>grub-efi-amd64-signed that is still at 2.06-5.
The shim versions don't matter here, the issues are all in grub.
>I had the previous version 2.06-5 on a laptop, and it was not affected by the
>bug, Only my very old Desktop was.
>
>As the bug was closed, I did install 2.06-6 on my laptop (or at least the
>composant actually upgraded) and now it also fails on my laptop with same
>error than on my desktop.
>
>I now have apparently several grub version flavors and several shim version
>flavor:
>
>15.4 for shim-signed:amd64 and shim-signed-common and 15.6 for
>shim-helpers-amd64-signed and shim-unsigned
>
>And for grub, I have 2.06-6 except for the important part :
>grub-efi-amd64-signed that is still at 2.06-5.
>root@xxxx:~# dpkg -l grub*
>Desired=Unknown/Install/Remove/Purge/Hold
>|
>Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
>|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
>||/ Name Version Architecture Description
>+++-=====================-============-============-=================================================================
>hi grub-efi-amd64-signed 1+2.06+5 amd64 GRand Unified Bootloader,
>version 2 (amd64 UEFI signed by Debian)
You're using the Secure Boot path (shim -> grub-efi-amd64-signed), so
>version 2 (amd64 UEFI signed by Debian)
the version of grub that matters for you is the signed version:
1+2.06+5. That is (so far) still based on grub2 source version 2.06-5.
It takes a short while for the builds to propagate through the signing
machinery in Debian.
Please be patient, the fix is on the way to you. If you can check
again when 1+2.06+6 is available, that will be more helpful.
"... the premise [is] that privacy is about hiding a wrong. It's not.
Privacy is an inherent human right, and a requirement for maintaining
the human condition with dignity and respect."
-- Bruce Schneier
Eric Valette
Dec 5, 2022, 12:20:04 PM12/5/22
to
If I upgrade EFI components without suspending bitlocker on Windows I
need to enter the bitlocker key. Very annoying.
So I cannot update normally shim and grub EFI components. There are on
hold until I know I have disabled bitlocker and can manually upgrade.
As soon as done, I put them again on hold.
--eric
need to enter the bitlocker key. Very annoying.
So I cannot update normally shim and grub EFI components. There are on
hold until I know I have disabled bitlocker and can manually upgrade.
As soon as done, I put them again on hold.
--eric
Eric Valette
Dec 5, 2022, 12:30:03 PM12/5/22
to
On 05/12/2022 18:07, Steve McIntyre wrote:
> You're using the Secure Boot path (shim -> grub-efi-amd64-signed), so
> the version of grub that matters for you is the signed version:
> 1+2.06+5. That is (so far) still based on grub2 source version 2.06-5.
> It takes a short while for the builds to propagate through the signing
> machinery in Debian.
>
> Please be patient, the fix is on the way to you. If you can check
> again when 1+2.06+6 is available, that will be more helpful.
Fair enough but for me this should be handled as a dependency so that
> You're using the Secure Boot path (shim -> grub-efi-amd64-signed), so
> the version of grub that matters for you is the signed version:
> 1+2.06+5. That is (so far) still based on grub2 source version 2.06-5.
> It takes a short while for the builds to propagate through the signing
> machinery in Debian.
>
> Please be patient, the fix is on the way to you. If you can check
> again when 1+2.06+6 is available, that will be more helpful.
you cannot upgrade only part of grub components. A meta package that
makes sure all the dependencies are ok before starting the upgrade.
And as explained I must play with windows bitlocker to suspend it before
being able to install so I would prefer doing it all at once.
-- eric
Steve McIntyre
Dec 5, 2022, 12:40:03 PM12/5/22
to
On Mon, Dec 05, 2022 at 06:19:53PM +0100, Eric Valette wrote:
>On 05/12/2022 18:07, Steve McIntyre wrote:
>
>> You're using the Secure Boot path (shim -> grub-efi-amd64-signed), so
>> the version of grub that matters for you is the signed version:
>> 1+2.06+5. That is (so far) still based on grub2 source version 2.06-5.
>> It takes a short while for the builds to propagate through the signing
>> machinery in Debian.
>>
>> Please be patient, the fix is on the way to you. If you can check
>> again when 1+2.06+6 is available, that will be more helpful.
>
>Fair enough but for me this should be handled as a dependency so that you
>cannot upgrade only part of grub components. A meta package that makes sure
>all the dependencies are ok before starting the upgrade.
There are no dependency issues to worry about here, I'm afraid you
>On 05/12/2022 18:07, Steve McIntyre wrote:
>
>> You're using the Secure Boot path (shim -> grub-efi-amd64-signed), so
>> the version of grub that matters for you is the signed version:
>> 1+2.06+5. That is (so far) still based on grub2 source version 2.06-5.
>> It takes a short while for the builds to propagate through the signing
>> machinery in Debian.
>>
>> Please be patient, the fix is on the way to you. If you can check
>> again when 1+2.06+6 is available, that will be more helpful.
>
>Fair enough but for me this should be handled as a dependency so that you
>cannot upgrade only part of grub components. A meta package that makes sure
>all the dependencies are ok before starting the upgrade.
simply misunderstood the grub packaging setup. That's reasonable -
it's not obvious! Just don't expect the bug to be fixed until the
changes have propagated...
>And as explained I must play with windows bitlocker to suspend it before
>being able to install so I would prefer doing it all at once.
"Yes, of course duct tape works in a near-vacuum. Duct tape works
anywhere. Duct tape is magic and should be worshipped."
-― Andy Weir, "The Martian"
Eric Valette
Dec 6, 2022, 12:30:03 PM12/6/22
to
On 05/12/2022 18:33, Steve McIntyre wrote:
> On Mon, Dec 05, 2022 at 06:19:53PM +0100, Eric Valette wrote:
>> On 05/12/2022 18:07, Steve McIntyre wrote:
>>
>>> You're using the Secure Boot path (shim -> grub-efi-amd64-signed), so
>>> the version of grub that matters for you is the signed version:
>>> 1+2.06+5. That is (so far) still based on grub2 source version 2.06-5.
>>> It takes a short while for the builds to propagate through the signing
>>> machinery in Debian.
>>>
>>> Please be patient, the fix is on the way to you. If you can check
>>> again when 1+2.06+6 is available, that will be more helpful.
>>
>> Fair enough but for me this should be handled as a dependency so that you
>> cannot upgrade only part of grub components. A meta package that makes sure
>> all the dependencies are ok before starting the upgrade.
>
> There are no dependency issues to worry about here, I'm afraid you
> simply misunderstood the grub packaging setup. That's reasonable -
> it's not obvious! Just don't expect the bug to be fixed until the
> changes have propagated...
I beg to disagree on this one. On my laptop, I updated
> On Mon, Dec 05, 2022 at 06:19:53PM +0100, Eric Valette wrote:
>> On 05/12/2022 18:07, Steve McIntyre wrote:
>>
>>> You're using the Secure Boot path (shim -> grub-efi-amd64-signed), so
>>> the version of grub that matters for you is the signed version:
>>> 1+2.06+5. That is (so far) still based on grub2 source version 2.06-5.
>>> It takes a short while for the builds to propagate through the signing
>>> machinery in Debian.
>>>
>>> Please be patient, the fix is on the way to you. If you can check
>>> again when 1+2.06+6 is available, that will be more helpful.
>>
>> Fair enough but for me this should be handled as a dependency so that you
>> cannot upgrade only part of grub components. A meta package that makes sure
>> all the dependencies are ok before starting the upgrade.
>
> There are no dependency issues to worry about here, I'm afraid you
> simply misunderstood the grub packaging setup. That's reasonable -
> it's not obvious! Just don't expect the bug to be fixed until the
> changes have propagated...
grub-efi-amd64-signed to the 1+2.06+6 version but, as installation does
not trigger grub reinstall, my laptop is still broken. If you do not
want to put dependency on component, each component that contains things
that should be moved to EFI directory should trigger a grub update.
And at first you should not update the EFI directory until all needed
binaries are updated.
( ls /var/lib/dpkg/info/grub-efi-amd64-signed.*
/var/lib/dpkg/info/grub-efi-amd64-signed.list
/var/lib/dpkg/info/grub-efi-amd64-signed.md5sums
)
The good point, is that, on my Desktop that was broken due to previous
install, and on which I downgraded and pinned, because I installed a
coherent set all at once, it worked.
But dependencies should enforce you always have a coherent set when
ruing grub update.
So I have to boot windows, suspend bit locker, trigger the reinstall of
grub, verify it works by rebooting and then again reenable bitlocker.
Groumph.
-- eric
Eric Valette
Dec 11, 2022, 6:00:03 AM12/11/22
to
After upgrading all grub*2.06-7 at once,I confirm it works on both
laptop and Desktop.
Now, the dependency still seems strange to me expeciallya s the signed
version come usually later than the rest.
-- eric
laptop and Desktop.
Now, the dependency still seems strange to me expeciallya s the signed
version come usually later than the rest.
-- eric
0 new messages