Ubuntu
shim-signed package

package shim-signed 1.34.9+13-0ubuntu2 failed to install/upgrade: installed shim-signed package post-installation script subprocess returned error exit status 30

Bug #1767091 reported by Bruno Richer
54
This bug affects 11 people
Affects Status Importance Assigned to Milestone
shim-signed (Ubuntu)
Fix Released
High
Unassigned
Bionic
Fix Released
Undecided
Unassigned

Bug Description

[Impact]
Users of SecureBoot with DKMS modules can trigger a maintainer script crash by using the buttons presented in the debconf UI, leaving the package in an unconfigured state.

[Test case]
1) Delete /var/lib/shim-signed/mok/MOK.* if exists.
2) Run 'sudo update-secureboot-policy --new-key'
3) Run 'sudo update-secureboot-policy --enroll-key'
4) When prompted to "enable Secure Boot", hit the Back button.

With no patch applied, the dialog will fall into an invalid state and error out, with the characteristic "return code 30" error as seen in the bug report.

With the patch applied, no Back button will be present -- the user should not be allowed to back up out of the enrolment dialog except by making the conscious decision to enable SecureBoot / enroll a MOK or continue with no changes, as are the two options presented.

[Regression Potential]
Issues to watch out for are any related to password handling (failure to get the password and continue out of the debconf prompts without error), failure to enroll keys, or being unable to use dkms modules after reboot and successful enrolment of the key. Any erroring out of the debconf prompts at install should be investigated as possible regressions from this SRU.

---

during partial update from 17.10 to 18.04

ProblemType: Package
DistroRelease: Ubuntu 18.04
Package: shim-signed 1.34.9+13-0ubuntu2
ProcVersionSignature: Ubuntu 4.13.0-38.43-generic 4.13.16
Uname: Linux 4.13.0-38-generic x86_64
.proc.sys.kernel.moksbstate_disabled: Error: [Errno 2] Aucun fichier ou dossier de ce type: '/proc/sys/kernel/moksbstate_disabled'
ApportVersion: 2.20.9-0ubuntu7
Architecture: amd64
Date: Thu Apr 26 11:31:05 2018
DistributionChannelDescriptor:
 # This is a distribution channel descriptor
 # For more information see http://wiki.ubuntu.com/DistributionChannelDescriptor
 canonical-oem-somerville-xenial-amd64-20160624-2
ErrorMessage: installed shim-signed package post-installation script subprocess returned error exit status 30
InstallationDate: Installed on 2018-03-26 (30 days ago)
InstallationMedia: Ubuntu 16.04 "Xenial" - Build amd64 LIVE Binary 20160624-10:47
MokSBStateRT: 6 0 0 0 1
Python3Details: /usr/bin/python3.6, Python 3.6.5, python3-minimal, 3.6.5-3
PythonDetails: /usr/bin/python2.7, Python 2.7.15rc1, python-minimal, 2.7.15~rc1-1
RelatedPackageVersions:
 dpkg 1.19.0.5ubuntu2
 apt 1.6.1
SecureBoot: 6 0 0 0 1
SourcePackage: shim-signed
Title: package shim-signed 1.34.9+13-0ubuntu2 failed to install/upgrade: installed shim-signed package post-installation script subprocess returned error exit status 30
UpgradeStatus: No upgrade log present (probably fresh install)

See original description

Related branches

~ubuntu-core-dev/shim/+git/shim-signed:cyphermox
Steve Langasek: Approve
Diff: 54 lines (+17/-4)
2 files modified
debian/changelog (+9/-0)
update-secureboot-policy (+8/-4)
Revision history for this message
Bruno Richer (brunoricher) wrote :
Apport retracing service (apport)
tags: removed: need-duplicate-check
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in shim-signed (Ubuntu):
status: New → Confirmed
Revision history for this message
Steve Langasek (vorlon) wrote :

Thank you for reporting this issue.

The shim-signed package, on upgrade, needs to prompt you in order to make changes to the MokManager configuration in your firmware. These prompts are done over debconf. 'exit status 30' is an indicator that something has failed in the debconf.

Looking at the code, it appears there is a bug in the handling of the 'back' button on the "enable secureboot" prompt that would cause this error.

We will look into fixing this code. In the meantime, if you were shown this prompt it means you will need to complete the reconfiguration of your firmware; I recommend that you run 'sudo dpkg --configure -a' to complete this process.

Changed in shim-signed (Ubuntu):
status: Confirmed → Triaged
Steve Langasek (vorlon)
Changed in shim-signed (Ubuntu):
importance: Undecided → High
Francis Ginther (fginther)
tags: added: id-5af997fc3ad8c3a41ba1538e
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.35

---------------
shim-signed (1.35) cosmic; urgency=medium

  * update-secureboot-policy: fix quoting for key/again password handling to
    mokutil. (LP: #1770579)
  * update-secureboot-policy: don't allow backtracking at the "main" question
    for whether to enroll a new MOK. (LP: #1767091)

 -- Mathieu Trudel-Lapierre <email address hidden> Thu, 31 May 2018 17:46:46 -0400

Changed in shim-signed (Ubuntu):
status: Triaged → Fix Released
Mathieu Trudel-Lapierre (cyphermox)
description: updated
Steve Langasek (vorlon)
description: updated
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Bruno, or anyone else affected,

Accepted shim-signed into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.34.9.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in shim-signed (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-bionic
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Verification-done on bionic with shim-signed/1.34.9.1:

I checked that you can no longer backtrack in the GNOME debconf frontend from the "enable secure boot" question to cause the dialog to fail. Backtracking is no longer accepted, only allowed as part of the password handling steps.

tags: added: verification-done-bionic
removed: verification-needed verification-needed-bionic
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.34.9.1

---------------
shim-signed (1.34.9.1) bionic; urgency=medium

  * update-secureboot-policy: fix quoting for key/again password handling to
    mokutil. (LP: #1770579)
  * update-secureboot-policy: don't allow backtracking at the "main" question
    for whether to enroll a new MOK. (LP: #1767091)

 -- Mathieu Trudel-Lapierre <email address hidden> Mon, 11 Jun 2018 15:23:28 -0400

Changed in shim-signed (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for shim-signed has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Steve Langasek (vorlon) wrote :

This SRU has been rolled back due to functional regressions that have been reported when chainloading from shim 15 to shim 13 in MAAS. Investigation is ongoing.

Changed in shim-signed (Ubuntu Bionic):
status: Fix Released → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.37~18.04.2

---------------
shim-signed (1.37~18.04.2) bionic; urgency=medium

  * debian/control: add Breaks: grub-efi-amd64-signed (<< 1.93.7), as the new
    version of shim exercises a bug in relocation code for chainload that was
    fixed in that upload of grub, affecting Windows 7, Windows 10, and some
    netboot scenarios where chainloading is required. (LP: #1792575)

shim-signed (1.37~18.04.1) bionic; urgency=medium

  * Backport shim-signed 1.37 to Ubuntu 18.04. (LP: #1790724)

shim-signed (1.37) cosmic; urgency=medium

  * Update to the signed 15+1533136590.3beb971-0ubuntu1 binary from Microsoft.
  * debian/real-po: replace debian/po to make sure things are translatable
    via Launchpad.

 -- Mathieu Trudel-Lapierre <email address hidden> Fri, 28 Sep 2018 11:02:56 -0400

Changed in shim-signed (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.