grub-efi-amd64: prompted to disable SecureBoot on upgrade from 2.02~beta2-36ubuntu2 to 2.02~beta2-36ubuntu3

Bug #1571388 reported by Steve Langasek on 2016-04-17
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
shim-signed (Ubuntu)
Critical
Mathieu Trudel-Lapierre

Bug Description

Despite the fact that grub2 2.02~beta2-36ubuntu3 was a no-change rebuild, upon upgrading to it on my system, I received a debconf prompt offering to disable UEFI secure boot.

This system has Secure Boot enabled and has no dkms modules installed. There should not be a prompt by grub on upgrade to disable; if this was going to be shown at all (which it wasn't, and shouldn't have been), it should have happened on the initial xenial upgrade.

Looking at the postinst code, I see that it prompts if the dkms package is installed:

    # nothing to do if there is no dkms package installed.
    if ! dpkg -l dkms | grep -qc ii; then
        return
    fi

Ok, I do have the dkms package installed, even though I don't have any dkms-using packages installed. (BTW, 'grep -qc ii' should probably be written 'grep -q ^ii') But then, this prompt should have shown up for me during the upgrade to xenial, *not* in this minor upgrade to the grub package. So why did it not?

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: grub-efi-amd64 2.02~beta2-36ubuntu3
ProcVersionSignature: Ubuntu 4.4.0-18.34-generic 4.4.6
Uname: Linux 4.4.0-18-generic x86_64
ApportVersion: 2.20.1-0ubuntu2
Architecture: amd64
CurrentDesktop: Unity
Date: Sun Apr 17 11:27:09 2016
InstallationDate: Installed on 2010-09-24 (2032 days ago)
InstallationMedia: Ubuntu 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.1)
SourcePackage: grub2
UpgradeStatus: Upgraded to xenial on 2016-04-15 (2 days ago)

Steve Langasek (vorlon) wrote :
Steve Langasek (vorlon) wrote :

Critical, because if there's a bug causing the prompt to be missed on upgrade to xenial, users are going to find their module support degraded without warning.

Changed in grub2 (Ubuntu):
assignee: nobody → Mathieu Trudel-Lapierre (cyphermox)
importance: Undecided → Critical
milestone: none → ubuntu-16.04
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in grub2 (Ubuntu):
status: New → Confirmed
Changed in grub2 (Ubuntu):
milestone: ubuntu-16.04 → ubuntu-17.04
Changed in grub2 (Ubuntu):
milestone: ubuntu-17.04 → ubuntu-17.03

There is still some work needed here; update-secureboot-policy may prompt in the wrong cases. Moving to 'ubuntu-17.05', since it's not the principal focus while scrambling to release Zesty.

Most of the required work here is going to be to properly handle /proc/sys/kernel/moksbstate_disabled and /proc/sys/kernel/secure_boot in update-secureboot-policy; and all of it will be done in the shim-signed package.

affects: grub2 (Ubuntu) → shim-signed (Ubuntu)
Changed in shim-signed (Ubuntu):
milestone: ubuntu-17.03 → ubuntu-17.05
status: Confirmed → Triaged
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers