Join Log in
Score:2
Shubham Deshmukh avatar Ubuntu

Is shim a redundant package that is never used, compared to shim-signed?

jp flag
Shubham Deshmukh

I did sudo apt-get autoremove --purge to free up some space, however it also removed the latest shim package that got updated just today.

shim (15.4-0ubuntu7)

also updated today was

shim-signed (15.4-0ubuntu7)

but shim-signed was NOT removed.

If autoremove removes older versions no longer required, however I believe shim is an essential element for secure boot process, or is it not? Please help me understand why it got removed.

Ubuntu 20.04 LTS

455
1 + 0
apt
Score:3
Andrew Lowther avatar Ubuntu
jp flag
Andrew Lowther

It appears that the files in shim have been moved to shim-signed and that probably makes shim no longer necessary.

The file list from the original shim version shipped with focal (15+1533136590.3beb971-0ubuntu1)

/usr/lib/shim/BOOTX64.CSV
/usr/lib/shim/fbx64.efi
/usr/lib/shim/mmx64.efi
/usr/lib/shim/shimx64.efi
/usr/share/doc/shim/changelog.Debian.gz
/usr/share/doc/shim/copyright

The file list from the current shim version in focal-updates (15.4-0ubuntu7)

/usr/share/doc/shim/buildinfo_amd64.gz
/usr/share/doc/shim/changelog.Debian.gz
/usr/share/doc/shim/copyright

The file list from the original shim-signed version shipped with focal (1.40.3+15+1533136590.3beb971-0ubuntu1)

/usr/lib/shim/mok/openssl.cnf
/usr/lib/shim/shimx64.efi.signed
/usr/sbin/update-secureboot-policy
/usr/share/apport/package-hooks/source_shim-signed.py
/usr/share/apport/package-hooks/source_shim.py
/usr/share/doc/shim-signed/changelog.Debian.gz
/usr/share/doc/shim-signed/copyright
/usr/share/lintian/overrides/shim-signed

The file list from the current shim-signed version in focal-updates (1.40.6+15.4-0ubuntu7)

/usr/lib/shim/BOOTX64.CSV
/usr/lib/shim/fbx64.efi
/usr/lib/shim/mmx64.efi
/usr/lib/shim/mok/openssl.cnf
/usr/lib/shim/shimx64.efi
/usr/lib/shim/shimx64.efi.dualsigned
/usr/lib/shim/shimx64.efi.signed
/usr/sbin/update-secureboot-policy
/usr/share/apport/package-hooks/source_shim-signed.py
/usr/share/apport/package-hooks/source_shim.py
/usr/share/doc/shim-signed/changelog.Debian.gz
/usr/share/doc/shim-signed/copyright
/usr/share/lintian/overrides/shim-signed

It appears these files are now part of shim-signed and that shim no longer provides anything critical

/usr/lib/shim/BOOTX64.CSV
/usr/lib/shim/fbx64.efi
/usr/lib/shim/mmx64.efi
/usr/lib/shim/shimx64.efi

The reason for the change appears to be the new upstream 15.4 release and is tracked in Launchpad. In particular, the changelog notes

    - Update packaging to pull fb and mm from shim-signed package as in
      later releases, dropping the runtime dependency on shim.
0 + 1
Shubham Deshmukh avatar
jp flag
Shubham Deshmukh
What I read was `shim` allowed the source code to be verified so binaries could be fully reproducible, now that files have been moved into `shim-signed` itself, can the code still be verifiable?
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.