Ubuntu
shim-signed package

update-secureboot-policy doesn't actually know the difference between added and removed modules when diffing (package shim-signed 1.37~18.04.2+15+1533136590.3beb971-0ubuntu1 failed to install/upgrade: installed shim-signed package post-installation script subprocess returned error exit status 1)

Bug #1800274 reported by Javier Principe
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
shim-signed (Ubuntu)
Triaged
Medium
Unassigned

Bug Description

The gnome session crashed while installing updates leading to the login screen. The bug report automatically started when logged in again.

ProblemType: Package
DistroRelease: Ubuntu 18.04
Package: shim-signed 1.37~18.04.2+15+1533136590.3beb971-0ubuntu1
ProcVersionSignature: Ubuntu 4.15.0-36.39-generic 4.15.18
Uname: Linux 4.15.0-36-generic x86_64
NonfreeKernelModules: vtsspp sep5 socperf3 pax
.proc.sys.kernel.moksbstate_disabled: Error: [Errno 2] No such file or directory: '/proc/sys/kernel/moksbstate_disabled'
ApportVersion: 2.20.9-0ubuntu7.4
Architecture: amd64
Date: Sat Oct 27 11:38:35 2018
DistributionChannelDescriptor:
 # This is a distribution channel descriptor
 # For more information see http://wiki.ubuntu.com/DistributionChannelDescriptor
 canonical-oem-somerville-xenial-amd64-20160624-2
EFITables:
 oct 27 11:22:42 argo kernel: efi: EFI v2.40 by American Megatrends
 oct 27 11:22:42 argo kernel: efi: ACPI=0x3f0c3000 ACPI 2.0=0x3f0c3000 SMBIOS=0xf0000 SMBIOS 3.0=0xf0020 ESRT=0x3fdd9018 MEMATTR=0x3c2c8018
 oct 27 11:22:42 argo kernel: secureboot: Secure boot disabled
 oct 27 11:22:42 argo kernel: esrt: Reserving ESRT space from 0x000000003fdd9018 to 0x000000003fdd9050.
ErrorMessage: installed shim-signed package post-installation script subprocess returned error exit status 1
InstallationDate: Installed on 2018-07-13 (105 days ago)
InstallationMedia: Ubuntu 16.04 "Xenial" - Build amd64 LIVE Binary 20160624-10:47
Python3Details: /usr/bin/python3.6, Python 3.6.6, python3-minimal, 3.6.5-3ubuntu1
PythonDetails: /usr/bin/python2.7, Python 2.7.15rc1, python-minimal, 2.7.15~rc1-1
RelatedPackageVersions:
 dpkg 1.19.0.5ubuntu2
 apt 1.6.6
SecureBoot: 6 0 0 0 1
SourcePackage: shim-signed
Title: package shim-signed 1.37~18.04.2+15+1533136590.3beb971-0ubuntu1 failed to install/upgrade: installed shim-signed package post-installation script subprocess returned error exit status 1
UpgradeStatus: Upgraded to bionic on 2018-08-25 (62 days ago)

Revision history for this message
Javier Principe (principejavierubuntu) wrote :
Apport retracing service (apport)
tags: removed: need-duplicate-check
Revision history for this message
Steve Langasek (vorlon) wrote :

The error in your log is:

Setting up linux-headers-4.15.0-38-generic (4.15.0-38.41) ...
/etc/kernel/header_postinst.d/dkms:
debconf: unable to initialize frontend: Passthrough
debconf: (Cannot connect to /tmp/aptdaemon-0_mjm70h/debconf.socket: Connection refused at (eval 17) line 3.)
debconf: falling back to frontend: Noninteractive
debconf: unable to initialize frontend: Passthrough
debconf: (Cannot connect to /tmp/aptdaemon-0_mjm70h/debconf.socket: Connection refused at (eval 17) line 3.)
debconf: falling back to frontend: Noninteractive
Running in non-interactive mode, doing nothing.
--- /var/lib/shim-signed/dkms-list 2018-10-27 11:38:13.686363404 +0200
+++ /var/lib/shim-signed/dkms-list.new 2018-10-27 11:38:13.686363404 +0200
@@ -1,5 +1,2 @@
 /var/lib/dkms
-/var/lib/dkms/i915-4.8-4.4
-/var/lib/dkms/nvme-apst
-/var/lib/dkms/oem-wifi-qualcomm-ath10k-lp1734600-4.4
 /var/lib/dkms/virtualbox

It appears you have dkms modules installed and it was determined that you needed to be prompted to register a MOK in your firmware, but because the gnome session crashed, taking the upgrader frontend with it, you could not be prompted, leading to this error.

This does look like a bug in shim-signed, though. The intent of this code is that we should only error out if there are *added* dkms modules and we don't have a MOK. In this case, there are only *removed* modules. So it should not be considered an error, but the code doesn't actually distinguish between additions and removals.

To work around this failure, you should run 'sudo dpkg --configure -a' from a terminal to follow the prompts and fully enroll a MOK.

Changed in shim-signed (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
summary: - package shim-signed 1.37~18.04.2+15+1533136590.3beb971-0ubuntu1 failed
- to install/upgrade: installed shim-signed package post-installation
- script subprocess returned error exit status 1
+ update-secureboot-policy doesn't actually know the difference between
+ added and removed modules when diffing (package shim-signed
+ 1.37~18.04.2+15+1533136590.3beb971-0ubuntu1 failed to install/upgrade:
+ installed shim-signed package post-installation script subprocess
+ returned error exit status 1)
Revision history for this message
Balint Reczey (rbalint) wrote :

Thanks for the bug report. The next version of shim-signed contains the fix and it is tracked under LP: #1726803.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.