After update, xorg will not boot

Bug #1603655 reported by dualBootLaptop
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Confirmed
High
Unassigned

Bug Description

Last night, Ubuntu Software Updater installed a round of updates.
I shut down my computer, and when I booted this morning, the GUI failed to load or run at all.
I switched to a terminal with Ctrl+Alt+F1, which worked fine.
I tried rebooting into 3.13.0-91 via GRUB, at which point the GUI worked fine.
Examining Ubuntu Software Center History, the new linux-image stood out, so I tried uninstalling that first.
The command I ran was:
sudo apt-get remove linux-image-extra-3.13.0-92-generic:amd64 linux-image-3.13.0-92-generic:amd64 linux-signed-image-3.13.0-92-generic:amd64 && sudo apt-get install linux-image-extra-3.13.0-91-generic:amd64 linux-image-3.13.0-91-generic:amd64 linux-signed-image-3.13.0-91-generic:amd64
My machine works fine now (with the old linux-image), but I thought I should inform you of the problem with the new linux-image.

P.S. Since xorg is involved I tried to use ubuntu-bug xorg as the instructions said, but there was no way to enter an explanation, and reporting system information with no explanation *now* when my system is *working* would be completely misleading. There seems to be no way to attach any text or message to an ubuntu-bug report.
I have attached the output from apport-bug --save=bugfilename linux-image-3.13.0-92-generic:amd64.
---
ApportVersion: 2.14.1-0ubuntu3.21
Architecture: amd64
AudioDevicesInUse:
 USER PID ACCESS COMMAND
 /dev/snd/controlC1: david 1900 F.... pulseaudio
 /dev/snd/controlC0: david 1900 F.... pulseaudio
CurrentDesktop: Unity
DistroRelease: Ubuntu 14.04
HibernationDevice: RESUME=UUID=907fdd35-197c-4341-9daa-c29636443fb6
InstallationDate: Installed on 2014-06-06 (773 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417)
MachineType: Hewlett-Packard HP Pavilion 17 Notebook PC
NonfreeKernelModules: fglrx
Package: linux (not installed)
ProcFB: 0 EFI VGA
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-91-generic.efi.signed root=UUID=1fe70a4d-bce2-4bc1-921f-d793500b9af8 ro quiet splash crashkernel=384M-:128M vt.handoff=7
ProcVersionSignature: Ubuntu 3.13.0-91.138-generic 3.13.11-ckt39
RelatedPackageVersions:
 linux-restricted-modules-3.13.0-91-generic N/A
 linux-backports-modules-3.13.0-91-generic N/A
 linux-firmware 1.127.22
RfKill:
 0: phy0: Wireless LAN
  Soft blocked: no
  Hard blocked: no
Tags: trusty
Uname: Linux 3.13.0-91-generic x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm cdrom dip lpadmin plugdev sambashare sudo
_MarkForUpload: True
dmi.bios.date: 11/11/2014
dmi.bios.vendor: Insyde
dmi.bios.version: F.35
dmi.board.asset.tag: Base Board Asset Tag
dmi.board.name: 1984
dmi.board.vendor: Hewlett-Packard
dmi.board.version: 01.15
dmi.chassis.type: 10
dmi.chassis.vendor: Hewlett-Packard
dmi.chassis.version: Chassis Version
dmi.modalias: dmi:bvnInsyde:bvrF.35:bd11/11/2014:svnHewlett-Packard:pnHPPavilion17NotebookPC:pvr0880100021305B10000620100:rvnHewlett-Packard:rn1984:rvr01.15:cvnHewlett-Packard:ct10:cvrChassisVersion:
dmi.product.name: HP Pavilion 17 Notebook PC
dmi.product.version: 0880100021305B10000620100
dmi.sys.vendor: Hewlett-Packard

Revision history for this message
dualBootLaptop (david-a-hannasch) wrote :
affects: xorg (Ubuntu) → linux (Ubuntu)
Changed in linux (Ubuntu):
assignee: nobody → Joseph Salisbury (jsalisbury)
Revision history for this message
Brad Figg (brad-figg) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1603655

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
tags: added: trusty
Changed in linux (Ubuntu):
importance: Undecided → High
Revision history for this message
dualBootLaptop (david-a-hannasch) wrote : AlsaInfo.txt

apport information

tags: added: apport-collected
description: updated
Revision history for this message
dualBootLaptop (david-a-hannasch) wrote : BootDmesg.txt

apport information

Revision history for this message
dualBootLaptop (david-a-hannasch) wrote : CRDA.txt

apport information

Revision history for this message
dualBootLaptop (david-a-hannasch) wrote : CurrentDmesg.txt

apport information

Revision history for this message
dualBootLaptop (david-a-hannasch) wrote : IwConfig.txt

apport information

Revision history for this message
dualBootLaptop (david-a-hannasch) wrote : Lspci.txt

apport information

Revision history for this message
dualBootLaptop (david-a-hannasch) wrote : Lsusb.txt

apport information

Revision history for this message
dualBootLaptop (david-a-hannasch) wrote : ProcCpuinfo.txt

apport information

Revision history for this message
dualBootLaptop (david-a-hannasch) wrote : ProcEnviron.txt

apport information

Revision history for this message
dualBootLaptop (david-a-hannasch) wrote : ProcInterrupts.txt

apport information

Revision history for this message
dualBootLaptop (david-a-hannasch) wrote : ProcModules.txt

apport information

Revision history for this message
dualBootLaptop (david-a-hannasch) wrote : PulseList.txt

apport information

Revision history for this message
dualBootLaptop (david-a-hannasch) wrote : UdevDb.txt

apport information

Revision history for this message
dualBootLaptop (david-a-hannasch) wrote : UdevLog.txt

apport information

Revision history for this message
dualBootLaptop (david-a-hannasch) wrote : WifiSyslog.txt

apport information

Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
dualBootLaptop (david-a-hannasch) wrote :

> From a terminal window please run:
> apport-collect 1603655
> and then change the status of the bug to 'Confirmed'.

...okay? As I said, I apt-get removed linux-image-3.13.0-92-generic:amd64, so the system information *now* will show that it's not installed. The information just posted is the state of the system when it's *working*. Is that what you wanted? Or did you want me to reinstall linux-image-3.13.0-92-generic:amd64?

If you *do* want me to reinstall linux-image-3.13.0-92-generic:amd64, can you tell me exactly how to do it? The Software Updater is showing me the available updates right now, and the new linux-image is not on the list, probably because the Software Updater noticed that I manually uninstalled it and is assuming that I don't want anything I manually uninstalled...which is actually pretty smart, that's kind of cool. But it means that I don't know how to reproduce the installation process. Should I apt-get dist-upgrade?

Revision history for this message
Steve Langasek (vorlon) wrote :

Given that your apport output is from the previous kernel, this line is very suggestive:

[ 18.073838] fglrx: module verification failed: signature and/or required key missing - tainting kernel

The 3.13.0-92 kernel is the first one in this series which implements Ubuntu's updated SecureBoot policy, which requires specific action by the machine administrator in order to allow unsigned modules.

You should have been prompted for this on upgrade. Do you remember seeing such a prompt?

Can you please attach the output of the following command:
$ debconf-show shim-signed

To successfully upgrade to the new kernel, you will want to:

 - run 'sudo update-secureboot-policy', and choose to disable SecureBoot
 - run 'sudo apt-get install linux-signed-image-generic'
 - reboot to the UEFI prompts, in order to confirm the SecureBoot policy change.

Revision history for this message
dualBootLaptop (david-a-hannasch) wrote :

> The 3.13.0-92 kernel is the first one in this series which implements Ubuntu's updated SecureBoot policy, which requires specific action by the machine administrator in order to allow unsigned modules.
> You should have been prompted for this on upgrade. Do you remember seeing such a prompt?
No, I just clicked Install Updates in the Software Updater as normal.

$ debconf-show shim-signed
debconf: DbDriver "passwords" warning: could not open /var/cache/debconf/passwords.dat: Permission denied
  shim/secureboot_key:
  shim/secureboot_key_again:
  shim/title/secureboot:
  shim/error/secureboot_key_mismatch:
* shim/disable_secureboot:
  shim/error/bad_secureboot_key:
  shim/enable_secureboot: false
$ sudo debconf-show shim-signed
  shim/error/secureboot_key_mismatch:
  shim/secureboot_key:
  shim/secureboot_key_again:
  shim/error/bad_secureboot_key:
  shim/title/secureboot:
  shim/enable_secureboot: false
* shim/disable_secureboot:

Revision history for this message
dualBootLaptop (david-a-hannasch) wrote :

fglrx is the driver for my monitor, so I think that would explain the observed behavior --- if the new kernel won't load the driver, then I get a black screen but can still get a terminal.

I don't think disabling SecureBoot is an option (it's a dual-boot machine and I don't want to break something permanently), but I've found something online about using /usr/src/linux-headers-$(uname -r)/scripts/sign-file to self-sign a driver for SecureBoot. The instructions aren't working for me right now, but I'll work on that and get back to you. If that works, then yeah, we can assume that it's a SecureBoot issue.

Thank you!

Revision history for this message
Steve Langasek (vorlon) wrote :

The debconf output hhows that the 'disable_secureboot' question was "shown", but no answer was recorded. This suggests there may be a problem with the debconf frontend on your system.

Can you attach /var/log/apt/term.log?

Revision history for this message
dualBootLaptop (david-a-hannasch) wrote :

/var/log/apt/term.log

Revision history for this message
Steve Langasek (vorlon) wrote :

From the log file:

Setting up shim-signed (1.17~14.04.1+0.8-0ubuntu2) ...
Installing for x86_64-efi platform.
Installation finished. No error reported.
Use of uninitialized value $_[1] in join or string at /usr/share/perl5/Debconf/DbDriver/Stack.pm line 111, <GEN0> line 12.
Use of uninitialized value $val in substitution (s///) at /usr/share/perl5/Debconf/Format/822.pm line 83, <GEN2> line 8.
Use of uninitialized value $val in concatenation (.) or string at /usr/share/perl5/Debconf/Format/822.pm line 84, <GEN2> line 8.
Processing triggers for libc-bin (2.19-0ubuntu6.9) ...
Log ended: 2016-07-15 19:57:06

This does confirm some sort of debconf error.

Revision history for this message
dualBootLaptop (david-a-hannasch) wrote :

I signed the fglrx driver with
sudo /usr/src/linux-headers-$(uname --kernel-release)/scripts/sign-file sha256 fglrx_private_key.priv fglrx_x509.der $(modinfo --filename fglrx-updates)

I then reinstalled 3.13.0-92 with 'sudo apt-get install linux-signed-image-generic' as instructed.
Since this created a new fglrx_updates.ko at /lib/modules/3.13.0-92-generic/updates/dkms/fglrx_updates.ko, I signed that too, with
sudo /usr/src/linux-headers-3.13.0-92-generic/scripts/sign-file sha256 fglrx_private_key.priv fglrx_x509.der /lib/modules/3.13.0-92-generic/updates/dkms/fglrx_updates.ko

It appears the module is indeed signed:
$ hexdump -C /lib/modules/3.13.0-92-generic/updates/dkms/fglrx_updates.ko | tail -n 5
00f7c5b0 4d 6f 64 75 6c 65 20 73 69 67 6e 61 74 75 72 65 |Module signature|
00f7c5c0 20 61 70 70 65 6e 64 65 64 7e 0a | appended~.|
And the key is listed by mokutil --list-enrolled.

And yet, I still have the same symptom: if I boot to 3.13.0-92 rather than 3.13.0-91, I can get tty1, but Ctrl+Alt+F7 gives me a black screen with a blinking cursor.

I never heard of debconf before today. Google tells me that debconf is related to answering configuration questions while installing packages. Is that related? There weren't any questions when installing linux-signed-image-generic. Were there supposed to be?

Revision history for this message
dualBootLaptop (david-a-hannasch) wrote :

Under 3.13.0-91, sudo modprobe fglrx-updates goes through without comment.
Under 3.13.0-92, sudo modprobe fglrx-updates fails with ERROR: could not insert fglrx_updates: required key not available.
I don't know how this could be, since 3.13.0-92-generic/updates/dkms/fglrx_updates.ko is signed with the same key as 3.13.0-91-generic/updates/dkms/fglrx_updates.ko.

Revision history for this message
Steve Langasek (vorlon) wrote : Re: [Bug 1603655] Re: After update, xorg will not boot

> I never heard of debconf before today. Google tells me that debconf is
> related to answering configuration questions while installing packages.
> Is that related? There weren't any questions when installing linux-
> signed-image-generic. Were there supposed to be?

Not when installing linux-signed-image-generic itself, but when installing
the shim-signed package or when the fglrx-updates-core package builds its
dkms module, yes there should be a series of questions asked about disabling
secureboot.

> Under 3.13.0-91, sudo modprobe fglrx-updates goes through without comment.

> Under 3.13.0-92, sudo modprobe fglrx-updates fails with ERROR: could not
> insert fglrx_updates: required key not available.

> I don't know how this could be, since
> 3.13.0-92-generic/updates/dkms/fglrx_updates.ko is signed with the same
> key as 3.13.0-91-generic/updates/dkms/fglrx_updates.ko.

This is because 3.13.0-91-generic doesn't enforce kernel signature
verification, so it will load the module with a warning in dmesg about it
being unverified and the kernel being 'tainted', whereas 3.13.0-92-generic
does enforce kernel signature verification and rejects this module because
it's not signed by a *trusted* key.

To have the kernel trust the key you used for signing, you must enroll it in
the firmware in either the SecureBoot database or the MOK database.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.