After update, xorg will not boot

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1603655

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

> From a terminal window please run:
> apport-collect 1603655
> and then change the status of the bug to 'Confirmed'.

...okay? As I said, I apt-get removed linux-image-3.13.0-92-generic:amd64, so the system information *now* will show that it's not installed. The information just posted is the state of the system when it's *working*. Is that what you wanted? Or did you want me to reinstall linux-image-3.13.0-92-generic:amd64?

If you *do* want me to reinstall linux-image-3.13.0-92-generic:amd64, can you tell me exactly how to do it? The Software Updater is showing me the available updates right now, and the new linux-image is not on the list, probably because the Software Updater noticed that I manually uninstalled it and is assuming that I don't want anything I manually uninstalled...which is actually pretty smart, that's kind of cool. But it means that I don't know how to reproduce the installation process. Should I apt-get dist-upgrade?

Given that your apport output is from the previous kernel, this line is very suggestive:

[ 18.073838] fglrx: module verification failed: signature and/or required key missing - tainting kernel

The 3.13.0-92 kernel is the first one in this series which implements Ubuntu's updated SecureBoot policy, which requires specific action by the machine administrator in order to allow unsigned modules.

You should have been prompted for this on upgrade. Do you remember seeing such a prompt?

Can you please attach the output of the following command:
$ debconf-show shim-signed

To successfully upgrade to the new kernel, you will want to:

 - run 'sudo update-secureboot-policy', and choose to disable SecureBoot
 - run 'sudo apt-get install linux-signed-image-generic'
 - reboot to the UEFI prompts, in order to confirm the SecureBoot policy change.

> The 3.13.0-92 kernel is the first one in this series which implements Ubuntu's updated SecureBoot policy, which requires specific action by the machine administrator in order to allow unsigned modules.
> You should have been prompted for this on upgrade. Do you remember seeing such a prompt?
No, I just clicked Install Updates in the Software Updater as normal.

$ debconf-show shim-signed
debconf: DbDriver "passwords" warning: could not open /var/cache/debconf/passwords.dat: Permission denied
  shim/secureboot_key:
  shim/secureboot_key_again:
  shim/title/secureboot:
  shim/error/secureboot_key_mismatch:
* shim/disable_secureboot:
  shim/error/bad_secureboot_key:
  shim/enable_secureboot: false
$ sudo debconf-show shim-signed
  shim/error/secureboot_key_mismatch:
  shim/secureboot_key:
  shim/secureboot_key_again:
  shim/error/bad_secureboot_key:
  shim/title/secureboot:
  shim/enable_secureboot: false
* shim/disable_secureboot:

fglrx is the driver for my monitor, so I think that would explain the observed behavior --- if the new kernel won't load the driver, then I get a black screen but can still get a terminal.

I don't think disabling SecureBoot is an option (it's a dual-boot machine and I don't want to break something permanently), but I've found something online about using /usr/src/linux-headers-$(uname -r)/scripts/sign-file to self-sign a driver for SecureBoot. The instructions aren't working for me right now, but I'll work on that and get back to you. If that works, then yeah, we can assume that it's a SecureBoot issue.

Thank you!

The debconf output hhows that the 'disable_secureboot' question was "shown", but no answer was recorded. This suggests there may be a problem with the debconf frontend on your system.

Can you attach /var/log/apt/term.log?

/var/log/apt/term.log

From the log file:

Setting up shim-signed (1.17~14.04.1+0.8-0ubuntu2) ...
Installing for x86_64-efi platform.
Installation finished. No error reported.
Use of uninitialized value $_[1] in join or string at /usr/share/perl5/Debconf/DbDriver/Stack.pm line 111, <GEN0> line 12.
Use of uninitialized value $val in substitution (s///) at /usr/share/perl5/Debconf/Format/822.pm line 83, <GEN2> line 8.
Use of uninitialized value $val in concatenation (.) or string at /usr/share/perl5/Debconf/Format/822.pm line 84, <GEN2> line 8.
Processing triggers for libc-bin (2.19-0ubuntu6.9) ...
Log ended: 2016-07-15 19:57:06

This does confirm some sort of debconf error.

I signed the fglrx driver with
sudo /usr/src/linux-headers-$(uname --kernel-release)/scripts/sign-file sha256 fglrx_private_key.priv fglrx_x509.der $(modinfo --filename fglrx-updates)

I then reinstalled 3.13.0-92 with 'sudo apt-get install linux-signed-image-generic' as instructed.
Since this created a new fglrx_updates.ko at /lib/modules/3.13.0-92-generic/updates/dkms/fglrx_updates.ko, I signed that too, with
sudo /usr/src/linux-headers-3.13.0-92-generic/scripts/sign-file sha256 fglrx_private_key.priv fglrx_x509.der /lib/modules/3.13.0-92-generic/updates/dkms/fglrx_updates.ko

It appears the module is indeed signed:
$ hexdump -C /lib/modules/3.13.0-92-generic/updates/dkms/fglrx_updates.ko | tail -n 5
00f7c5b0 4d 6f 64 75 6c 65 20 73 69 67 6e 61 74 75 72 65 |Module signature|
00f7c5c0 20 61 70 70 65 6e 64 65 64 7e 0a | appended~.|
And the key is listed by mokutil --list-enrolled.

And yet, I still have the same symptom: if I boot to 3.13.0-92 rather than 3.13.0-91, I can get tty1, but Ctrl+Alt+F7 gives me a black screen with a blinking cursor.

I never heard of debconf before today. Google tells me that debconf is related to answering configuration questions while installing packages. Is that related? There weren't any questions when installing linux-signed-image-generic. Were there supposed to be?

Under 3.13.0-91, sudo modprobe fglrx-updates goes through without comment.
Under 3.13.0-92, sudo modprobe fglrx-updates fails with ERROR: could not insert fglrx_updates: required key not available.
I don't know how this could be, since 3.13.0-92-generic/updates/dkms/fglrx_updates.ko is signed with the same key as 3.13.0-91-generic/updates/dkms/fglrx_updates.ko.

> I never heard of debconf before today. Google tells me that debconf is
> related to answering configuration questions while installing packages.
> Is that related? There weren't any questions when installing linux-
> signed-image-generic. Were there supposed to be?

Not when installing linux-signed-image-generic itself, but when installing
the shim-signed package or when the fglrx-updates-core package builds its
dkms module, yes there should be a series of questions asked about disabling
secureboot.

> Under 3.13.0-91, sudo modprobe fglrx-updates goes through without comment.

> Under 3.13.0-92, sudo modprobe fglrx-updates fails with ERROR: could not
> insert fglrx_updates: required key not available.

> I don't know how this could be, since
> 3.13.0-92-generic/updates/dkms/fglrx_updates.ko is signed with the same
> key as 3.13.0-91-generic/updates/dkms/fglrx_updates.ko.

This is because 3.13.0-91-generic doesn't enforce kernel signature
verification, so it will load the module with a warning in dmesg about it
being unverified and the kernel being 'tainted', whereas 3.13.0-92-generic
does enforce kernel signature verification and rejects this module because
it's not signed by a *trusted* key.

To have the kernel trust the key you used for signing, you must enroll it in
the firmware in either the SecureBoot database or the MOK database.