Grub2 menu not loading - could not create MokListXRT: Out of Resources

Status changed to 'Confirmed' because the bug affects multiple users.

Having the same issue with 21.04 with my ubuntu and windows dualboot on my thinkpad x230.
But i am running not at zvs but "standard" ext4. So i doubt that is the issue here.

Thank you for your bug report,

Unfortunately, there is not much we can do here - Your system ran out of EFI variable storage place.

Your best bet is to find large EFI variables in /sys/firmware/efi/efivars that are safe to delete and delete them. A factory reset of the BIOS may also clear up the variable storage, but not sure. I think deleting necessary variables will trigger a factory reset too, as it needs to repopulate them, but I would not try it myself. Also, deleting the variables might just mark them for deletion but not actually trigger garbage collection.

Good luck!

Deleting the largest EFI variables did the trick. I think I will run some cron job in a month interval with a script that will change attributes of the two largest files and delete them eventually.

Thanks, I appreciate your help.

What efivars did you delete because i am unsure what efivars i can delete safely.

My by far largest efivars are:
-rw-r--r-- 1 root root 19308 Apr 20 22:49 MokListXRT-605dab50-e046-4300-abb6-3dd810dd8b23
-rw-r--r-- 1 root root 13504 Apr 20 22:49 dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f
-rw-r--r-- 1 root root 5552 Apr 20 22:49 MokListXRT2-605dab50-e046-4300-abb6-3dd810dd8b23
-rw-r--r-- 1 root root 5360 Apr 20 22:49 MokListXRT1-605dab50-e046-4300-abb6-3dd810dd8b23
-rw-r--r-- 1 root root 4213 Apr 20 22:49 db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
-rw-r--r-- 1 root root 2549 Apr 20 22:49 KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c
-rw-r--r-- 1 root root 2097 Apr 20 22:49 MokListRT-605dab50-e046-4300-abb6-3dd810dd8b23

In my case I've deleted:

MokListXRT-605dab50-e046-4300-abb6-3dd810dd8b23
dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f

but I should probably delete more.

Deleting dbx is not advisable, it contains the list of revoked certificates and binaries. The Mok* ones should be repopulated by shim during boot, so are probably fine. You want to end up with the same variables being back again after boot, essentially; but trigger garbage collection in UEFI during the reboot.

That said, you should be able to repopulate dbx by running sbkeysync.

Fortunately, I did not notice any failures after deleting the dbx. But I did run sbkeysync just to be sure.

I cant remove those variables in /sys/firmware/efi/efivars on my thinkpad x230. I removed the -i kernel protection on the files but still get "invalid argument".
I even tried different Setup- or User-Modes in Bios for Secureboot. That only shrinked the dbx variable a bit but didnt solve the issue.

I've deleted those files using 'chattr -i' command and then 'rm -rf'.

I think there is something wrong with the whole uefi/grub/mokutil/efivars/kernel setup on 21.04.
I changed the attributes with chattr -i and checked with lsattr. When running "rm -rf ..." i dont get an error but it doesnt delete the file. Without -rf i get the error "invalid Argument". (Running with sudo or in a root shell)

Efivarfs is mounted rw:
root@ThinkPad:/sys/firmware/efi/efivars# mount | grep efi
efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,nosuid,nodev,noexec,relatime)

I booted a 20.04.2 usb and checked the efivars there and that didnt include all the MoklistXRT variables.

I tried to boot with kernel parameter efi_no_storage_paranoia but that didnt help. kernel is right now
Command line: BOOT_IMAGE=/boot/vmlinuz-5.11.0-16-generic root=UUID=cd3606bb-9444-4ef8-bcaa-6e21674ca895 ro quiet splash

I still can boot ubuntu because it "just" doesnt show grub but boots to ubuntu anyway. i also can change to the windows bootloader with choosing that on the boot device selection when pressing F12 at boot.
Nonetheless grub is not working as intended and that should be fixed.

The fix is for Lenovo to issue a firmware update with the new dbx in it's ro storage so it doesn't have to be in the efi vars. Seems unlikely to happen though.

It's possible the variables are read only, which is why you can't delete it.

I'm sorry to say, but these are firmware issues, there's nothing userspace can do.

Also a Lenovo T430 owner receiving the same error message having just updated from 20.10 to 21.04. The file system is ext4 with LVS encryption. I didn't see this message prior to the update to 21.04

Additional to the last - Just noticed, like the OP, I also have windows installed on a separate drive - not sure if this is important or not.

I did a clean install of 21.04 and now, like Achim, I cannot delete the Moklistxrt files in efivars folder. I have no idea why on the previous installation it was possible.
Anyway, the problem still exists.

As said before it worked some weeks ago and still works on a 20.04.5 live usb. So there is something broken in the 21.04 setup of the whole grub/kernel/efi stuff.

I stumbled about the releasenotes from 21.04 now talking about some shim issue. and i found https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1925010 and https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1925064.

I have the error "efi: Failed to lookup EFI memory descriptor for 0x00000000d75f2000" in the logs like which seems to releate here:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1925139

I cannot delete efivars either on Samsung New Series 9. I tried with chattr and rm with no success. Than I tried to delete entries from dbx in EFI setup, and it does not work, too. I have not yet found a way to delete anything to clear up some space.

I looked at the link Achim posted, and this PR https://github.com/rhboot/shim/pull/364 looks to be related: I couldn't find out the version of EFI that my T430 has, but I'm guessing its an early version as its quite old so this might be why I see the moklist memory errors. I also get the "efi: Failed to lookup EFI memory descriptor for..." albeit for a slightly different address.

My T430 has EFI v2.31.
Achim, good research. It looks like these bugs may be related to each other.

No, that's completely unrelated. This here is firmwares not having enough storage space. It's not a bug in shim. Potentially it can be worked around by avoiding the mirroring of MokListX to MokListXRT, since the information is mostly pointless to mirror.

@julian: i understand your point. But i dont understand why it worked some weeks ago and with a 20.04 live usb while there are no changes to the efi or bios.

So from a rational there must be something broken on recent 21.04 state. it may not be grub itself but something in that whole efi setup.

It's quite simply that the list in 21.04 is larger because it needs to contain all our revoked binaries and that's why you run out of space. Due to the pandemic, we were unable to switch signing certificates and had to revoke all binaries via MokListX instead. Once the shard holders can travel again and we can revoke the old key and sign with a new one, we won't need the large MokListX again.

Thanks for clarifying things Julian.

So, we're stuck until COVID releases us again? Is there a painless way to get back to a version of ubuntu that doesn't have this problem? How about going back to plain old un-secure grub?

The changes mentioned around shimx64.efi above fixed this issue for me on Lenovo ThinkPad Intel® Core™ i7-3667U CPU @ 2.00GHz × 4

@Matthew, what changes do you have in mind? The ones in the bug report about macbooks?

So people say they can still navigate blindly on grub menu when this errormessage is displayed since it only blocks the menu beeing displayed, not grub as such.

So i wonder if there is a better way of displaying this error as a workaround.

This bug hit me today (Debian Buster) and I have to say it's pretty egregious. I don't buy the pandemic certificate excuse as Debian development has always been decentralized. If Microsoft or Apple had done this the headlines would be about them bricking PCs or Macs.

This morning I rebooted my Dell server to apply a kernel security patch only for it to display the

Could not create MokListXRT: Out of Resources
Something has gone seriously wrong: import_mok_state() failed: Out of Resources

error message. Except, in my case, the machine simply powered off after the error. Fortunately Dell's BIOSes are pretty robust and I was able to boot in legacy mode and then apply the EFI path fix from https://askubuntu.com/a/1333772/932418. Purely from observation of this and the AskUbuntu thread it seems ThinkPad users are not that lucky.

What steps can be taken to ensure this doesn't happen again?

Judah, your issue is addressed in https://github.com/rhboot/shim/pull/372, and it's somewhat different from this bug - which only causes a delay in boot. We have submitted a new shim with that fix to MS for signing.

This is not a Debian bug tracker, but AFAIUI, they are going to cherry-pick that fix as well.

This bug was fixed in the package shim - 15.4-0ubuntu5

---------------
shim (15.4-0ubuntu5) hirsute; urgency=medium

  * Rebuild in hirsute to get a more stable target to keep shim reproducible
    for a longer time.

shim (15.4-0ubuntu3) impish; urgency=medium

  [ Steve Langasek ]
  * Use -Zxz compression, for compatibility with dpkg in older releases.
    LP: #1925673

  [ Julian Andres Klode ]
  * Stop addending vendor dbx to MokListXRT during MokListX mirroring. This
    is causing systems to run out of EFI storage space, or just hang up
    when trying to write it (LP: #1924605) (LP: #1928434)
  * Further relax the check for variable mirroring on non-secureboot systems
    avoiding boot failures on out of space conditons (pull request #372)

  [ Seth Forshee ]
  * Don't unhook ExitBootServices() when EBS protection is disabled (LP: #1931136)
    (pull request #378)

 -- Julian Andres Klode <email address hidden> Wed, 16 Jun 2021 12:52:45 +0200

Hello Łukasz, or anyone else affected,

Accepted shim into hirsute-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim/15.4-0ubuntu5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-hirsute to verification-done-hirsute. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-hirsute. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Łukasz, or anyone else affected,

Accepted shim-signed into hirsute-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.48 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-hirsute to verification-done-hirsute. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-hirsute. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Łukasz, or anyone else affected,

Accepted shim into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim/15.4-0ubuntu5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Łukasz, or anyone else affected,

Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.33.1~16.04.8 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hi,

Yes, the package fixed the bug. Grub menu appears on machine startup, I can navigate through the menu and select options. The system boots fine.

Thanks Steve for fixing this bug.

Shim package version:

Package: shim-signed
Version: 1.48+15.4-0ubuntu5
Built-Using: shim (= 15.4-0ubuntu5)
Priority: optional
Protected: yes
Section: utils
Source: shim-signed (1.48)

Let's mark xenial verified too, the binaries are the same.

Hello Łukasz, or anyone else affected,

Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.33.1~16.04.9 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Łukasz, or anyone else affected,

Accepted shim into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim/15.4-0ubuntu5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Łukasz, or anyone else affected,

Accepted shim-signed into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.40.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Remarking xenial as done, got overridden by late shim-signed acceptance.

It works now! My setup is Ubuntu 21.04, I was getting these two messages:

Failed to set MokListXRT: Out of resources
Could not create MokListXRT: Out of resources

No grub menu and the system booted fine. After activating hirsute-proposed, which applied your fix now the messages are gone, and the system keeps booting fine.

Still not showing the grub menu, but I must say that I only have one OS installed in my machine.

Thanks a lot to you all, guys, you are great!!!

It worked for me to. I am on Ubuntu 21.04 and got the same messages:

"Failed to set MokListXRT: Out of resources
Could not create MokListXRT: Out of resources"

Updated shim-signed from hirsute-proposed and the system boots with no messages. Thanks for the fix!

The verification of the Stable Release Update for shim has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package shim - 15.4-0ubuntu5

---------------
shim (15.4-0ubuntu5) hirsute; urgency=medium

  * Rebuild in hirsute to get a more stable target to keep shim reproducible
    for a longer time.

shim (15.4-0ubuntu3) impish; urgency=medium

  [ Steve Langasek ]
  * Use -Zxz compression, for compatibility with dpkg in older releases.
    LP: #1925673

  [ Julian Andres Klode ]
  * Stop addending vendor dbx to MokListXRT during MokListX mirroring. This
    is causing systems to run out of EFI storage space, or just hang up
    when trying to write it (LP: #1924605) (LP: #1928434)
  * Further relax the check for variable mirroring on non-secureboot systems
    avoiding boot failures on out of space conditons (pull request #372)

  [ Seth Forshee ]
  * Don't unhook ExitBootServices() when EBS protection is disabled (LP: #1931136)
    (pull request #378)

 -- Julian Andres Klode <email address hidden> Wed, 16 Jun 2021 12:52:45 +0200

Hello Łukasz, or anyone else affected,

Accepted shim-signed into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.40.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Łukasz, or anyone else affected,

Accepted shim-signed into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.37~18.04.9 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Łukasz, or anyone else affected,

Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.33.1~16.04.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Łukasz, or anyone else affected,

Accepted shim-signed into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.37~18.04.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

As stated in bug "We do not have tests to verify this", so marking verified.

This bug was fixed in the package shim - 15.4-0ubuntu7

---------------
shim (15.4-0ubuntu7) hirsute; urgency=medium

  * Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
  * Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
  * Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
  * mok: relax the maximum variable size check (LP: #1934780) (PR #369)

 -- Julian Andres Klode <email address hidden> Wed, 07 Jul 2021 10:57:35 +0200

This bug was fixed in the package shim-signed - 1.40.6

---------------
shim-signed (1.40.6) focal; urgency=medium

  * Update to shim 15.4-0ubuntu7:
    - Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
    - Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
    - Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
    - mok: relax the maximum variable size check (LP: #1934780) (PR #369)
  * download-signed: Fetch signed artefacts from versioned URL instead
    of current/ symlink to work around caching (LP: #1936640)

shim-signed (1.40.5) focal; urgency=medium

  * New upstream release 15.4. LP: #1921134
  * Synchronize packaging with 1.48, summary
    - Update packaging to pull fb and mm from shim-signed package as in
      later releases, dropping the runtime dependency on shim.
    - Add download-signed script from linux-signed package
    - Include reworked Makefile from devel to better assert the integrity of
      the executables.
    - Dual-signed shim
    - Set XB-Important: yes and Protected: yes on shim-signed package
      so that it cannot be removed by accident (LP: #1898729)
  * Update to shim 15.4-0ubuntu5:
    - Stop addending vendor dbx to MokListXRT during MokListX mirroring. This
      is causing systems to run out of EFI storage space, or just hang up
      when trying to write it (LP: #1924605) (LP: #1928434)
    - Further relax the check for variable mirroring on non-secureboot systems
      avoiding boot failures on out of space conditons (pull request #372)
    - Don't unhook ExitBootServices() when EBS protection is disabled
      (LP: #1931136) (pull request #378)

 -- Julian Andres Klode <email address hidden> Fri, 16 Jul 2021 13:33:00 +0200

This bug was fixed in the package shim - 15.4-0ubuntu7

---------------
shim (15.4-0ubuntu7) hirsute; urgency=medium

  * Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
  * Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
  * Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
  * mok: relax the maximum variable size check (LP: #1934780) (PR #369)

 -- Julian Andres Klode <email address hidden> Wed, 07 Jul 2021 10:57:35 +0200

This bug was fixed in the package shim-signed - 1.33.1~16.04.10

---------------
shim-signed (1.33.1~16.04.10) xenial; urgency=medium

  * Update to shim 15.4-0ubuntu7:
    - Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
    - Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
    - Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
    - mok: relax the maximum variable size check (LP: #1934780) (PR #369)

shim-signed (1.33.1~16.04.9) xenial; urgency=medium

  * Do not build a dual-signed shim (fixing regression from ~16.04.7), and
    disable verifying fbx64.efi and mmx64.efi certificates as xenial's
    sbverify is unable to (impish works fine)
  * Clean up debhelper log file accidentally imported into git during 16.04.7
    import.

shim-signed (1.33.1~16.04.8) xenial; urgency=medium

  * debian/*.postinst: Unconditionally call grub-install with
    --force-extra-removable, so that the \EFI\BOOT removable path as used in
    cloud images receives the updates. LP: #1930742.
  * Update to shim 15.4-0ubuntu5:
    - Stop addending vendor dbx to MokListXRT during MokListX mirroring. This
      is causing systems to run out of EFI storage space, or just hang up
      when trying to write it (LP: #1924605) (LP: #1928434)
    - Further relax the check for variable mirroring on non-secureboot systems
      avoiding boot failures on out of space conditons (pull request #372)
    - Don't unhook ExitBootServices() when EBS protection is disabled
      (LP: #1931136) (pull request #378)

shim-signed (1.33.1~16.04.7) xenial; urgency=medium

  * New upstream release 15.4. LP: #1921134
  * Update packaging to pull fb and mm from shim-signed package as in
    later releases, dropping the runtime dependency on shim.
  * Add download-signed script from linux-signed package
  * Add a versioned dependency on the mokutil that introduces --timeout, and
    call mokutil --timeout -1 so that users don't end up with broken systems
    by missing MokManager on reboot after install. LP: #1856422.
  * Add versioned dependencies on grub-efi-amd64-signed and grub2-common,
    to ensure we have SBAT-compatible grub.efi and grub 2.04-compatible
    grub-install present when we are installing new shim to the ESP.
  * Include reworked Makefile from devel to better assert the integrity of
    the executables.

 -- Julian Andres Klode <email address hidden> Fri, 16 Jul 2021 13:04:57 +0200

This bug was fixed in the package shim-signed - 1.37~18.04.10

---------------
shim-signed (1.37~18.04.10) bionic; urgency=medium

  * Remove unnecessary efitools dependency that prevented build on arm64

shim-signed (1.37~18.04.9) bionic; urgency=medium

  * New upstream release 15.4. LP: #1921134
  * Synchronize packaging with 1.50, summary
    - Update packaging to pull fb and mm from shim-signed package as in
      later releases, dropping the runtime dependency on shim.
    - Add download-signed script from linux-signed package
    - Include reworked Makefile from devel to better assert the integrity of
      the executables.
    - Dual-signed shim
    - Set XB-Important: yes on shim-signed package so that it cannot be
      removed by accident (LP: #1898729)
    - download-signed: Fetch signed artefacts from versioned URL instead
      of current/ symlink to work around caching (LP: #1936640)
  * Update to shim 15.4-0ubuntu5:
    - Stop addending vendor dbx to MokListXRT during MokListX mirroring. This
      is causing systems to run out of EFI storage space, or just hang up
      when trying to write it (LP: #1924605) (LP: #1928434)
    - Further relax the check for variable mirroring on non-secureboot systems
      avoiding boot failures on out of space conditons (pull request #372)
    - Don't unhook ExitBootServices() when EBS protection is disabled
      (LP: #1931136) (pull request #378)
  * Update to shim 15.4-0ubuntu7:
    - Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
    - Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
    - Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
    - mok: relax the maximum variable size check (LP: #1934780) (PR #369)

 -- Julian Andres Klode <email address hidden> Mon, 19 Jul 2021 17:01:19 +0200