LIvepatch widget should link to secure boot information on error
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
update-notifier (Ubuntu) |
Triaged
|
Medium
|
Unassigned |
Bug Description
The livepatch widget will show an error[0] if patches cannot be applied. They cannot be applied on a Secure Boot system unless the livepatch signing key is imported. Unfortunately this requires a reboot and some confirmation in the UEFI settings, so it can't be automated.
`canonical-
SECUREBOOT:
If you are using secure boot, you will also need to import the livepatch public keys into your keyring.
This can be done with the following command:
sudo mokutil --import /snap/canonical
After this enter a password if necessary for MOK, then reboot.
Your BIOS will then guide you through enrolling a new key in MOK.
At this point you will be able to verify the module signatures.
This is probably something worth linking to from that error message. In general, we might need a page explaining other reasons the kernel can't be patched, how to get more details from the system log, etc.
c@slate:~$ canonical-livepatch status
client-version: 9.3.0
architecture: x86_64
cpu-model: Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz
last-check: 2019-06-
boot-time: 2019-06-
uptime: 50m59s
status:
- kernel: 4.15.0-
running: true
livepatch:
checkState: check-failed
patchState: apply-failed
version: "52.3"
fixes: |-
* CVE-2019-11477
* CVE-2019-11478
[0] https:/
Very good feedback. Letting the user know that the livepatch failed to apply is a good first step, but I agree that the interface should guide the user in how to resolve the issue.