2021/5/4我运行命令sudo apt full-upgrade进行更新时,apt-listchanges提醒说:
shim-signed (1.34) unstable; urgency=medium
Debian no longer supports UEFI Secure Boot on arm64 systems
Shim and other EFI programs have always been difficult to build on
arm64, compared to x86 platforms. Binutils for amd64 and i386
includes explicit support for creating programs in the PE/COFF
binary format that EFI uses, but this has never been added for
arm64.In the past, shim developers added some local hacks into the shim
package to generate a mostly-compliant PE/COFF EFI binary without
this toolchain support, and that seemed to be sufficient for
use. Everything seemed to work. However, during the development
and testing phase of shim 15.3 and 15.4, we found found significant
issues with this approach. New security features needed in shim
(SBAT) showed up severe problems with the lack of proper toolchain
support. See Significant problems with Aarch64 (and Arm?) builds · Issue #366 · rhboot/shim · GitHub for more
details. The old hacks around binutils are no longer sustainable.Statistics tell us that very few people have attempted to use arm64
Secure Boot with Debian so far. In the interests of releasing needed
updates in a timely manner, we have decided for the time being to
disable signed shim support for Debian arm64.We hope to re-introduce arm64 Secure Boot support as soon as
possible in the future.– Steve McIntyre 93sam@debian.org Mon, 03 May 2021 18:28:58 +0100
看起来这一变更主要会影响到arm64用户,由于我是amd64用户,应该不会受影响。
但是,紧接着apt提示说:
下列软件包是自动安装的而且不需要了:
shim-signed-common mokutil
看起来,更新后的shim-signed软件包删除了对软件包shim-signed-common的依赖。我查看了软件包shim-signed的变更说明:
shim-signed (1.34) unstable; urgency=medium
- Build against new signed binaries corresponding to 15.4-2
Closes: #971129, #987991- WARNING: arm64 shim is no longer signed, due to major
toolchain problems. See NEWS.Debian for more
information. Separated out the binary package for arm64 to allow
for a different description, and tweaked the Makefile too.- Update build-deps and Standards-Version
- Tweak Makefile setup - do our verification testing chained from
the “all” target, not “clean”. Closes: #936002- Don’t include apport stuff in the Debian build, it’s not useful.
- Tweak dh_install* usage for docs.
- Add Spanish translation for debconf templates, thanks to
Camaleón. Closes: #987339- Multiple bugfixes in postinst and postrm handling:
- Call grub-install using the correct grub target in postinst
- Also call grub-install using the correct grub target in the
postrm, and clean up the shim binary from the ESP- In each case, also check and use the correct configured options
for grub-install- Move the postinst grub-install code from the -common package to
the arch-specific packages, to make sure it’s always called when
needed.- Only run grub-install etc. if we’re actually on an EFI-booted
system.– Steve McIntyre 93sam@debian.org Mon, 03 May 2021 20:13:04 +0100
涉及该问题的变更似乎是:
Move the postinst grub-install code from the -common package to
the arch-specific packages, to make sure it’s always called when
needed.
apt show shim-signed-common报告说:
This package provides a minimalist boot loader which allows verifying signatures of other UEFI binaries against either the Secure Boot DB/DBX or against a built-in signature database. Its purpose is to allow a small, infrequently-changing binary to be signed by the UEFI CA, while allowing an OS distributor to revision their main bootloader independently of the CA.
This package contains common helper scripts for all versions of the shim-signed package.
所以shim-signed-common只是一些帮助脚本,现在维护者认为软件包shim-signed不再需要依赖软件包shim-signed-common,因此该软件包应该可以被安全地删除?还是应当暂时保留它以等待维护者可能在未来将这两个包重新建立依赖关系?有任何建议吗?
注释:我使用NVIDIA的专有驱动,因此我已经禁用了安全启动,软件包shim-signed的变化应该不会造成重大影响。