Acknowledgement sent
to Valerio Passini <[email protected]>:
New Bug report received and forwarded. Copy sent to Debian EFI Team <[email protected]>.
(Sat, 17 Feb 2024 10:21:04 GMT) (full text, mbox, link).
Package: shim-signed
Version: 1.40+15.7-1
Severity: normal
Tags: upstream
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate
***
I tried to install Debian on a Surface Pro 9, but it doesn't boot even with
a
disabled SecureBoot (secured core must be disabled in any case).
In order to have a bootable Linux you need to hack into /efi/boot/debian and
overwrite mmx64.efi with grubx64.efi or even try more exotic actions.
Here you can find a more detailed explanation on this bug and possible
working
solutions:
https://github.com/linux-surface/linux-surface/issues/1274
[...]The good news is: This issue is fixed on the shim main branch, so once
the
distributions update their shim, this issue should disappear. The bad news
is,
that it is not possible for us to fix this, since we can't get a signed
shim /
MokManager from Microsoft.
For now there are three possible solutions:
Disable secureboot and don't enroll any certificates. This is certainly
the
easiest.
There is a Linux Mint installation image (21.2) that contains a working
MokManager. When you are trapped in the bugged state, you can use this to
finish the enrollment process. After the certificate is enrolled, you
should be
able to boot normally.
Downgrading the firmware.
[...]
*** End of the template - remove these template lines ***
-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.7.2-surface-1 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages shim-signed depends on:
ii grub-efi-amd64-bin 2.12-1
ii grub2-common 2.12-1
ii shim-helpers-amd64-signed 1+15.7+1
ii shim-signed-common 1.40+15.7-1
shim-signed recommends no packages.
shim-signed suggests no packages.
-- no debconf information
Acknowledgement sent
to Steve McIntyre <[email protected]>:
Extra info received and forwarded to list. Copy sent to Debian EFI Team <[email protected]>.
(Wed, 26 Jun 2024 20:06:03 GMT) (full text, mbox, link).
Subject: Re: Bug#1064102: shim-signed: Shim needs to be updated to latest
version for Microsoft Surface devices
Date: Wed, 26 Jun 2024 21:01:31 +0100
Hi!
On Sat, Feb 17, 2024 at 11:17:35AM +0100, Valerio Passini wrote:
>Package: shim-signed
>Version: 1.40+15.7-1
>Severity: normal
>Tags: upstream
>
>Dear Maintainer,
>
>*** Reporter, please consider answering these questions, where appropriate ***
>
>I tried to install Debian on a Surface Pro 9, but it doesn't boot even with a
>disabled SecureBoot (secured core must be disabled in any case).
>In order to have a bootable Linux you need to hack into /efi/boot/debian and
>overwrite mmx64.efi with grubx64.efi or even try more exotic actions.
>Here you can find a more detailed explanation on this bug and possible working
>solutions:
>https://github.com/linux-surface/linux-surface/issues/1274
>
>[...]The good news is: This issue is fixed on the shim main branch, so once the
>distributions update their shim, this issue should disappear. The bad news is,
>that it is not possible for us to fix this, since we can't get a signed shim /
>MokManager from Microsoft.
We're not quite ready (yet) to have an NX-capable boot chain. There's
a bit more work needed in GRUB yet. Hopefully soon.
--
Steve McIntyre, Cambridge, UK. [email protected]
"Since phone messaging became popular, the young generation has lost the
ability to read or write anything that is longer than one hundred and sixty
characters." -- Ignatios Souvatzis
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.