Package: shim-signed Version: 1.39+15.7-1 In the August patchday, Microsoft updated the SBAT blacklist for Secure Boot on many machines via Windows Update. This updates blacklists outdated shim versions with known vulnerabilities, some of which are actively exploited by malware gangs for attacks. The update was supposed to skip dual-boot machines. However, many ISOs as well as some dual-boot machines are reported to fail to boot after the blacklist update.
https://support.microsoft.com/en-US/topic/august-13-2024-kb5041571-os-build-26100-1457-d218c08d-8de2-4f9a-8fe1-a2c2fd83ca9a One of my machines (HP EliteBook 850 G3) with up-to-date Debian 12 Bookworm is affected. It does not have a classic dual-boot setup based on Grub. Instead, I select the system at startup in the UEFI's boot menu. I suspect that this is the reason why the update did not skip this machine. In either case, the root problem appears to be that Debian is relying on an outdated shim version which has known vulnerabilities. It should also be discussed how to improve the update process. Not updating the blacklist on dual-boot machines is a favor, but it is making secure boot less secure for all OEMs, operating systems and their users. So the ultimate goal should be to regularly update the shim binary in case of known vulnerabilities. Workaround: Disable secure boot. Depending on the measured-boot configuration, this can have side effects such as TPM-based BitLocker/LUKS failing. Fix: The package shim-signed (shim-signed 1.44~1+deb12u1) from bookworm- proposed-updates solves the issue. Regards Stephan
signature.asc
Description: This is a digitally signed message part