shim can end up being removed

I've marked apt as affected because it ships /etc/apt/apt.conf.d/01autoremove but I suppose each of the affected packages could also supply their own snippets.

In order to understand the priority: did this happen with or without -proposed enabled on the system? Do you have apt logs from the actual removal?

And when you say "autoremoval", did this actually happen as part of an apt autoremove operation?

Cheers Steve. Nope, -proposed is not enabled.

Yes, it happened - it was the result of an explicit autoremove on my part though after I had dist-upgraded to current focal-updates. I should have noticed that this was happening and stopped it, granted. :)

Attached is the snippet of apt's term.log corresponding to the autoremove run. It crapped out at the end as usual because I have a tiny /boot; not included but mentioning because it might mean the log is truncated a bit.

Now, this system has been through several Ubuntu development cycles. It's likely to be unclean. So I don't mind if the priority is low but making use of this feature of apt feels sensible to me, although admittedly there's a question about where we would stop if we started to do it.

Ok. If this was initially installed using a currently-supported release, it might be good to look back at the logs and at the code in that version of the installer, to see if there's something we should fix wrt the shim-signed package being marked as auto-installed instead of manual.

(But a system installed here using 19.10 doesn't have shim-signed marked as auto-installed, so I guess any bug in that regard may be rather old.)

We could mark bootloader packages as Protected: yes (Important: yes before groovy). That would not only prevent autoremoval, it would also add another step to manual removal as it triggers the same removal prompts as essential packages.

Arguably top-level kernel packages, oem metapackages should have those set too.

APT still needs to offer a better experience for removing protected packages with an extra --allow-remove-protected flag instead of (re)using --allow-remove-essential, but it's still a useful feature.

That does sound useful and worth scheduling I think. I didn't know about that until now!

I'll try to find some time soon to go back to the release I installed from and take a look there, per Steve's suggestion.

On Wed, Oct 07, 2020 at 10:10:57AM -0000, Julian Andres Klode wrote:
> We could mark bootloader packages as Protected: yes (Important: yes
> before groovy). That would not only prevent autoremoval, it would also
> add another step to manual removal as it triggers the same removal
> prompts as essential packages.

> Arguably top-level kernel packages, oem metapackages should have those
> set too.

I'm not sure it's a good idea to use this for kernel packages since it makes
it more difficult to change kernel flavors. It would definitely have
knock-on effects on various image build infrastructure.

But setting this for shim-signed and grub-pc sounds like a good idea to me.

Status changed to 'Confirmed' because the bug affects multiple users.

This bug was fixed in the package shim-signed - 1.44

---------------
shim-signed (1.44) groovy; urgency=medium

  * Set XB-Important: yes and Protected: yes on shim-signed package
    so that it cannot be removed by accident (LP: #1898729)

 -- Julian Andres Klode <email address hidden> Tue, 20 Oct 2020 12:05:37 +0200

sorry, I overlooked that this had been marked for 0-day SRU and improperly unblocked it for groovy migration. I've now rolled it back.

This bug was fixed in the package shim-signed - 1.45

---------------
shim-signed (1.45) groovy; urgency=medium

  * Merge back changes from focal that got lost in the shim revert, as
    groovy carried on from the reverted 1.41 upload and did not merge
    back 1.40.{1,2,3}:
    - Depend on the correct version of grub-signed (LP: #1871895)
    - Install grub to multiple ESPs (LP: #1871821)
    - Pass --timeout -1 to mokutil in a separate mokutil run (LP: #1869187),
      thanks to Aleksander Miera for the patch.

 -- Julian Andres Klode <email address hidden> Wed, 21 Oct 2020 11:02:12 +0200

Hello Iain, or anyone else affected,

Accepted shim-signed into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.40.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Iain, or anyone else affected,

Accepted shim-signed into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.40.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Iain, or anyone else affected,

Accepted shim-signed into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.37~18.04.9 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Iain, or anyone else affected,

Accepted shim-signed into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.37~18.04.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

bionic is good, as soon as I add the bionic-proposed sources.list entry (containing 1.37~18.04.10), the package is treated as essential.

# apt autoremove
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:
  efibootmgr grub-common grub-efi-amd64 grub-efi-amd64-bin grub-efi-amd64-signed grub2-common libefiboot1 libefivar1 libfreetype6 mokutil os-prober sbsigntool secureboot-db shim shim-signed
0 upgraded, 0 newly installed, 15 to remove and 0 not upgraded.
After this operation, 33.2 MB disk space will be freed.
Do you want to continue? [Y/n] ^C
# sudo vim /etc/apt/sources.list
# apt update
[...]
# apt autoremove
[...]
0 upgraded, 0 newly installed, 0 to remove and 29 not upgraded.
# apt remove shim-signed
[...]
WARNING: The following essential packages will be removed.
This should NOT be done unless you know exactly what you are doing!
  shim-signed
0 upgraded, 0 newly installed, 1 to remove and 28 not upgraded.
After this operation, 1397 kB disk space will be freed.
You are about to do something potentially harmful.
To continue type in the phrase 'Yes, do as I say!'

Verification looks the same for focal (1.40.6+15.4-0ubuntu7)

This bug was fixed in the package shim-signed - 1.40.6

---------------
shim-signed (1.40.6) focal; urgency=medium

  * Update to shim 15.4-0ubuntu7:
    - Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
    - Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
    - Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
    - mok: relax the maximum variable size check (LP: #1934780) (PR #369)
  * download-signed: Fetch signed artefacts from versioned URL instead
    of current/ symlink to work around caching (LP: #1936640)

shim-signed (1.40.5) focal; urgency=medium

  * New upstream release 15.4. LP: #1921134
  * Synchronize packaging with 1.48, summary
    - Update packaging to pull fb and mm from shim-signed package as in
      later releases, dropping the runtime dependency on shim.
    - Add download-signed script from linux-signed package
    - Include reworked Makefile from devel to better assert the integrity of
      the executables.
    - Dual-signed shim
    - Set XB-Important: yes and Protected: yes on shim-signed package
      so that it cannot be removed by accident (LP: #1898729)
  * Update to shim 15.4-0ubuntu5:
    - Stop addending vendor dbx to MokListXRT during MokListX mirroring. This
      is causing systems to run out of EFI storage space, or just hang up
      when trying to write it (LP: #1924605) (LP: #1928434)
    - Further relax the check for variable mirroring on non-secureboot systems
      avoiding boot failures on out of space conditons (pull request #372)
    - Don't unhook ExitBootServices() when EBS protection is disabled
      (LP: #1931136) (pull request #378)

 -- Julian Andres Klode <email address hidden> Fri, 16 Jul 2021 13:33:00 +0200

The verification of the Stable Release Update for shim-signed has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Slightly alarmingly today, the push out of this fix resulted in shim being marked to be autoremoved.

Start-Date: 2021-08-03 09:32:20
Commandline: apt dist-upgrade
Requested-By: uccaoke (1000)
Upgrade: shim-signed:amd64 (1.40.4+15+1552672080.a4a1fbe-0ubuntu2, 1.40.6+15.4-0ubuntu7), shim:amd64 (15+1552672080.a4a1fbe-0ubuntu2, 15.4-0ubuntu7)
End-Date: 2021-08-03 09:32:23

Start-Date: 2021-08-03 09:32:37
Commandline: apt autoremove
Requested-By: uccaoke (1000)
Remove: shim:amd64 (15.4-0ubuntu7)
End-Date: 2021-08-03 09:32:37

I'm not sure if this would result in a non-booting system so I manually reinstalled shim to make sure but you might want to check.

(as per comment 23 I've opened this as bug #1938774)

This bug was fixed in the package shim-signed - 1.37~18.04.10

---------------
shim-signed (1.37~18.04.10) bionic; urgency=medium

  * Remove unnecessary efitools dependency that prevented build on arm64

shim-signed (1.37~18.04.9) bionic; urgency=medium

  * New upstream release 15.4. LP: #1921134
  * Synchronize packaging with 1.50, summary
    - Update packaging to pull fb and mm from shim-signed package as in
      later releases, dropping the runtime dependency on shim.
    - Add download-signed script from linux-signed package
    - Include reworked Makefile from devel to better assert the integrity of
      the executables.
    - Dual-signed shim
    - Set XB-Important: yes on shim-signed package so that it cannot be
      removed by accident (LP: #1898729)
    - download-signed: Fetch signed artefacts from versioned URL instead
      of current/ symlink to work around caching (LP: #1936640)
  * Update to shim 15.4-0ubuntu5:
    - Stop addending vendor dbx to MokListXRT during MokListX mirroring. This
      is causing systems to run out of EFI storage space, or just hang up
      when trying to write it (LP: #1924605) (LP: #1928434)
    - Further relax the check for variable mirroring on non-secureboot systems
      avoiding boot failures on out of space conditons (pull request #372)
    - Don't unhook ExitBootServices() when EBS protection is disabled
      (LP: #1931136) (pull request #378)
  * Update to shim 15.4-0ubuntu7:
    - Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
    - Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
    - Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
    - mok: relax the maximum variable size check (LP: #1934780) (PR #369)

 -- Julian Andres Klode <email address hidden> Mon, 19 Jul 2021 17:01:19 +0200