Is shim a redundant package that is never used, compared to shim-signed?

I did sudo apt-get autoremove --purge to free up some space, however it also removed the latest shim package that got updated just today.

shim (15.4-0ubuntu7)

also updated today was

shim-signed (15.4-0ubuntu7)

but shim-signed was NOT removed.

If autoremove removes older versions no longer required, however I believe shim is an essential element for secure boot process, or is it not? Please help me understand why it got removed.

Ubuntu 20.04 LTS


Solution 1:

It appears that the files in shim have been moved to shim-signed and that probably makes shim no longer necessary.

The file list from the original shim version shipped with focal (15+1533136590.3beb971-0ubuntu1)

/usr/lib/shim/BOOTX64.CSV
/usr/lib/shim/fbx64.efi
/usr/lib/shim/mmx64.efi
/usr/lib/shim/shimx64.efi
/usr/share/doc/shim/changelog.Debian.gz
/usr/share/doc/shim/copyright

The file list from the current shim version in focal-updates (15.4-0ubuntu7)

/usr/share/doc/shim/buildinfo_amd64.gz
/usr/share/doc/shim/changelog.Debian.gz
/usr/share/doc/shim/copyright

The file list from the original shim-signed version shipped with focal (1.40.3+15+1533136590.3beb971-0ubuntu1)

/usr/lib/shim/mok/openssl.cnf
/usr/lib/shim/shimx64.efi.signed
/usr/sbin/update-secureboot-policy
/usr/share/apport/package-hooks/source_shim-signed.py
/usr/share/apport/package-hooks/source_shim.py
/usr/share/doc/shim-signed/changelog.Debian.gz
/usr/share/doc/shim-signed/copyright
/usr/share/lintian/overrides/shim-signed

The file list from the current shim-signed version in focal-updates (1.40.6+15.4-0ubuntu7)

/usr/lib/shim/BOOTX64.CSV
/usr/lib/shim/fbx64.efi
/usr/lib/shim/mmx64.efi
/usr/lib/shim/mok/openssl.cnf
/usr/lib/shim/shimx64.efi
/usr/lib/shim/shimx64.efi.dualsigned
/usr/lib/shim/shimx64.efi.signed
/usr/sbin/update-secureboot-policy
/usr/share/apport/package-hooks/source_shim-signed.py
/usr/share/apport/package-hooks/source_shim.py
/usr/share/doc/shim-signed/changelog.Debian.gz
/usr/share/doc/shim-signed/copyright
/usr/share/lintian/overrides/shim-signed

It appears these files are now part of shim-signed and that shim no longer provides anything critical

/usr/lib/shim/BOOTX64.CSV
/usr/lib/shim/fbx64.efi
/usr/lib/shim/mmx64.efi
/usr/lib/shim/shimx64.efi

The reason for the change appears to be the new upstream 15.4 release and is tracked in Launchpad. In particular, the changelog notes

    - Update packaging to pull fb and mm from shim-signed package as in
      later releases, dropping the runtime dependency on shim.