Ubuntu
linux package

why signed kernels call update-grub?

Bug #1396383 reported by Dimitri John Ledkov
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Won't Fix
Medium
Andy Whitcroft
Ubuntu ubuntu-15.03

Bug Description

Looking at the postrm of linux-signed-image-* it looks very different from linux-image-* ones

$ cat linux-signed-image-3.16.0-20-generic.postrm
#!/bin/sh -e

kernel='vmlinuz-3.16.0-20-generic'

case "$0-$1" in
*.postinst-configure)
 rm -f /boot/$kernel.efi.signed
 cp /boot/$kernel /boot/$kernel.efi.signed
 sbattach --attach /usr/lib/linux/$kernel.efi.signature /boot/$kernel.efi.signed

 if which update-grub >/dev/null 2>&1; then
  update-grub || true
 fi
 ;;
*.postrm-remove)
 rm -f /boot/$kernel.efi.signed

 if which update-grub >/dev/null 2>&1; then
  update-grub || true
 fi
 ;;
esac

Why does it call update-grub direct instead of calling into /etc/kernel like the normal kernel packages do?

In essence on amd64 the amount of calls to update-grub is duplicated on both installation and removal of kernel packages, since -signed version is installed by default. Why can't we just install signed version and make it modify kernel image in-place?

ProblemType: Bug
DistroRelease: Ubuntu 14.10
Package: linux-signed-generic 3.16.0.25.26
ProcVersionSignature: Ubuntu 3.16.0-25.33-generic 3.16.7
Uname: Linux 3.16.0-25-generic x86_64
ApportVersion: 2.14.7-0ubuntu8
Architecture: amd64
AudioDevicesInUse:
 USER PID ACCESS COMMAND
 /dev/snd/controlC0: xnox 4525 F.... pulseaudio
CurrentDesktop: Unity
Date: Tue Nov 25 23:08:41 2014
HibernationDevice: RESUME=UUID=2bf263f1-753f-4b2e-92a6-b00381515e0c
InstallationDate: Installed on 2012-01-12 (1048 days ago)
InstallationMedia: Ubuntu 13.04 "Raring Ringtail" - Alpha amd64 (20130318)
MachineType: Gigabyte Technology Co., Ltd. To be filled by O.E.M.
ProcFB: 0 inteldrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.16.0-25-generic.efi.signed root=UUID=6669d411-80c3-41cc-a629-ad84e1ee6854 ro quiet splash nomdmonddf nomdmonisw crashkernel=384M-:128M nomdmonddf nomdmonisw crashkernel=384M-:128M nomdmonddf nomdmonisw crashkernel=384M-:128M nomdmonddf nomdmonisw crashkernel=384M-:128M nomdmonddf nomdmonisw crashkernel=384M-:128M nomdmonddf nomdmonisw crashkernel=384M-:128M nomdmonddf nomdmonisw crashkernel=384M-:128M nomdmonddf nomdmonisw crashkernel=384M-:128M vt.handoff=7
RelatedPackageVersions:
 linux-restricted-modules-3.16.0-25-generic N/A
 linux-backports-modules-3.16.0-25-generic N/A
 linux-firmware 1.138
RfKill:

SourcePackage: linux
SystemImageInfo:
 current build number: 0
 device name: ?
 channel: daily
 last update: Unknown
UpgradeStatus: No upgrade log present (probably fresh install)
WifiSyslog:

dmi.bios.date: 08/13/2013
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: F18g
dmi.board.asset.tag: To be filled by O.E.M.
dmi.board.name: Z77X-D3H
dmi.board.vendor: Gigabyte Technology Co., Ltd.
dmi.board.version: x.x
dmi.chassis.asset.tag: To Be Filled By O.E.M.
dmi.chassis.type: 3
dmi.chassis.vendor: Gigabyte Technology Co., Ltd.
dmi.chassis.version: To Be Filled By O.E.M.
dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrF18g:bd08/13/2013:svnGigabyteTechnologyCo.,Ltd.:pnTobefilledbyO.E.M.:pvrTobefilledbyO.E.M.:rvnGigabyteTechnologyCo.,Ltd.:rnZ77X-D3H:rvrx.x:cvnGigabyteTechnologyCo.,Ltd.:ct3:cvrToBeFilledByO.E.M.:
dmi.product.name: To be filled by O.E.M.
dmi.product.version: To be filled by O.E.M.
dmi.sys.vendor: Gigabyte Technology Co., Ltd.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :
Revision history for this message
Brad Figg (brad-figg) wrote : Status changed to Confirmed

This change was made by a bot.

Changed in linux (Ubuntu):
status: New → Confirmed
Joseph Salisbury (jsalisbury)
Changed in linux (Ubuntu):
importance: Undecided → Medium
tags: added: kernel-da-key
Joseph Salisbury (jsalisbury)
tags: added: kernel-key
Revision history for this message
Andy Whitcroft (apw) wrote :

We cannot modify the kernel in place because that is a file belonging to another package. We need to re-run grub because it is going to update the filename in the grub configuration. We are avoiding the whole of /etc/kernel/* to avoid rebuilding the initramfs yet again after install. Much of this "doing things over and over" will be resolved when the fixes to use triggers in grub2 and initramfs-tools are in, but those are stuck waiting on a console-setup update.

Changed in linux (Ubuntu):
status: Confirmed → In Progress
assignee: nobody → Andy Whitcroft (apw)
milestone: none → ubuntu-15.01
Joseph Salisbury (jsalisbury)
tags: removed: kernel-key
Andy Whitcroft (apw)
Changed in linux (Ubuntu):
milestone: ubuntu-15.01 → ubuntu-15.02
Andy Whitcroft (apw)
Changed in linux (Ubuntu):
milestone: ubuntu-15.02 → ubuntu-15.03
Revision history for this message
Andy Whitcroft (apw) wrote :

As we have separate work items to switch to using triggers, this one can be closed out as Won't Fix.

Changed in linux (Ubuntu):
status: In Progress → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.