Debian User Forums

I am happy to report that Debian 12.7 has solved the issue. On an affected system perform: Good guy Debian.

Thank you very much Aki for the detailed explanation. Is the proposed update coming eventually to Debian 12 Bookworm? Should someone expect a release on the main channel in near future? There was also a problem with the Nvidia drivers couple of months ago which took weeks to be applied from proposed to normal updates.

Reading the BUG report thread, it seems that the update is not yet made available to Debian 12 systems. What we can do for now is to avoid applying the Windows update on affected systems until the APT update with the new Shim is available via an apt upgrade. Am I missing something?

Aki wrote: 2024-08-26 12:59 Hello,

For anyone with the active problem (Debian cannot boot due to the error in the topic), it might be interesting to collect the output of the following command after disabling secure boot with EFI boot active:

Code: Select all

sudo mokutil --list-sbat-revocations

Hello, this is what I get from the command:
which is identical to what RenataTa posted.

I managed to boot into Debian by simply disabling Secure Boot.

sudo mokutil --set-sbat-policy delete


From my understanding after reading the posted articles, if you do this you will just delete the policy that was created by the Microsoft patch in order to fix a GRUB vulnerability. This will effectively restore to the vulnerable state but let your system boot with the Shim bootloader already installed. Secure Boot is a mess, but I think the clear thing for any Linux distribution to do is to create a Shim bootloader update that can be booted on ...

Happy Anniversary Debian. Thank you for decades of desktop, laptops, servers, virtual machines, cloud instances and embedded devices that run smoothly with minimal hassle (OK secure boot is not in the list). I have been using Debian for work and entertainment for 20+ years and still think it is the gold standard for GNU distributions. Official Documentation needs tidying up though

Hello, I fall into the same problem on a dual boot Windows 11, Debian 12 system. Do we have a clear Debian solution yet?

I have an update which is quite strange and I think I should completely revise my setup. I have created /etc/initramfs-tools/conf.d/resume with contents RESUME=none which stopped the asking of swap partition LUKS password, but of course lost the resume from disk functionality.

The strange thing is that after installing the task-lxde-desktop package the system is asking for the root filesystem password after unlocking the /boot partition and whatever the input given, it continues with the GRUB ...

Hello everyone,

I am having a strange issue with a full disk encryption setup of a new Debian 12 (Bookworm) installation. I used debootstrap from the latest Debian Live 12 USB image and followed the Debian guide on full disk encryption .

I use LVM to create a logical volume for hosting the swap partition, which is encrypted with LUKS:


# lsblk --fs /dev/<my disk>
NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINT
sde3 LVM2_member LVM2 001 XXXXXX-YYYY-XXXX-YYYY-XXXX-YYYY-XXXXXX
├─debian ...

I have encountered also this problem during an apt upgrade and Linux 5.10.0-29. My DKMS nvidia module build log error message:

FATAL: modpost: GPL-incompatible module nvidia.ko uses GPL-only symbol 'rcu_read_unlock_strict'
make[3]: *** [/usr/src/linux-headers-5.10.0-29-common/scripts/Makefile.modpost:123: /var/lib/dkms/nvidia-current/470.223.02/build/Module.symvers] Error 1
make[2]: *** [/usr/src/linux-headers-5.10.0-29-common/Makefile:1783: modules] Error 2

My current workaround is to boot ...

Hello everyone. I have successfully used the guides here:

https://wiki.debian.org/SecureBoot
https://wiki.ubuntu.com/UEFI/SecureBoot
https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot

in order to create Machine Owner keys and sign during DKMS post installation any kernel modules required, currently the Nvidia driver package modules.
I have been using this process for quite some time, my Kernel Module signing script is:


#!/bin/bash ...

Hello,

It seems that you have a setup similar to most laptop with a dedicated GPU, where there is an Intel and AMD chip. Have you tried the recommended instructions here? https://wiki.debian.org/AtiHowTo
You need to add contrib non-free into your Apt sources and install the packages firmware-amd-graphics libgl1-mesa-dri libglx-mesa0 mesa-vulkan-drivers xserver-xorg-video-all .

The guide that you followed (https://wiki.debian.org/AMDGPUDriverOnStretchAndBuster2) is not recommended:
Unsupported ...

In case anyone needs to shutdown Google Chrome/Chromium listening on port UDP 5353 here is the solution:

Create the policy file managed_policy.json in the policies/managed directory (this is different per system in Linux with Chromium it is in /etc/chromium/policies/managed/). Put these contents in:
and then open URL chrome://flags/ and disable the option Anonymize local IPs exposed by WebRTC.

ls -la /etc/resolv.conf
lrwxrwxrwx 1 root root 32 Feb 6 00:35 /etc/resolv.conf -> /run/systemd/resolve/resolv.conf
That is not the recommended mode of operation, read the man page again. I don't think it will make much difference but it's worth a try.

You are right, a link to /run/systemd/resolve/stub-resolv.conf is required instead. Tried it with the Avahi solution and still there is no .local hostname resolution. Thank you for noticing.

I noticed something new, Avahi complaints with this ...

Check the systemd journal for clues.

Have you symlinked /etc/resolv.conf to systemd-resolved's stub resolver? The man page recommends that mode of operation.

Yes that is exactly how it is setup, with the uplink method:

ls -la /etc/resolv.conf
lrwxrwxrwx 1 root root 32 Feb 6 00:35 /etc/resolv.conf -> /run/systemd/resolve/resolv.conf

I will gather the setup and remove private sensitive info and share it. It is very strange that this broadcast technology fails in the simplest LAN possible.

Hello everyone,

I am trying to setup Zeroconf in a small LAN where machines of Debian 10, other Linux distributions and Windows 10 are cooperating with zero extra configuration with the following requirements:

- Hostname resolution with Multicast DNS ( hostname .local should work)
- CUPS printing should be able to share printers and LAN machines being able to discover it via CUPS or Samba share
- In case of Avahi, advertised services should be browsable

I have done it in the past and it was a ...

Worked like a charm. Thank you everybody.

Thank you very much for all your answers. I will try and report back. This seems like the proper solution:

Hi all,

Today I have updated my Lenovo Ideapad 330 - 81FL laptop with the latest 7ZCN34WW BIOS and it wiped the Debian Secure Boot entry I have installed. I performed a manual installation using these information sites and a Debian 10 live CD:

https://debamax.com/blog/2019/04/19/an-overview-of-secure-boot-in-debian/
https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html

After installing the system with debootstrap , I installed GRUB with this:


echo "GRUB_ENABLE_CRYPTODISK ...