Ubuntu
update-notifier package

LIvepatch widget should link to secure boot information on error

Bug #1833277 reported by Casey Marshall
24
This bug affects 4 people
Affects Status Importance Assigned to Milestone
update-notifier (Ubuntu)
Triaged
Medium
Unassigned

Bug Description

The livepatch widget will show an error[0] if patches cannot be applied. They cannot be applied on a Secure Boot system unless the livepatch signing key is imported. Unfortunately this requires a reboot and some confirmation in the UEFI settings, so it can't be automated.

`canonical-livepatch help` displays some instructions to fix this:

SECUREBOOT:
       If you are using secure boot, you will also need to import the livepatch public keys into your keyring.

       This can be done with the following command:
       sudo mokutil --import /snap/canonical-livepatch/current/keys/livepatch-kmod.x509

       After this enter a password if necessary for MOK, then reboot.
       Your BIOS will then guide you through enrolling a new key in MOK.
       At this point you will be able to verify the module signatures.

This is probably something worth linking to from that error message. In general, we might need a page explaining other reasons the kernel can't be patched, how to get more details from the system log, etc.

c@slate:~$ canonical-livepatch status
client-version: 9.3.0
architecture: x86_64
cpu-model: Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz
last-check: 2019-06-18T10:40:35-05:00
boot-time: 2019-06-18T11:05:06-05:00
uptime: 50m59s
status:
- kernel: 4.15.0-51.55-generic
  running: true
  livepatch:
    checkState: check-failed
    patchState: apply-failed
    version: "52.3"
    fixes: |-
      * CVE-2019-11477
      * CVE-2019-11478

[0] https://drive.google.com/file/d/1cQbtCNE-ekoPO159SJDwKrjPGpkSuucm/view?usp=sharing

Tags: needs-design
Revision history for this message
Steve Langasek (vorlon) wrote :

Very good feedback. Letting the user know that the livepatch failed to apply is a good first step, but I agree that the interface should guide the user in how to resolve the issue.

Changed in update-notifier (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Will Cooke (willcooke) wrote :

We made a start on a wiki page which would detail some of this information:

https://wiki.ubuntu.com/azzar1/Kernel/Livepatch

Could the current Livepatch wiki page be updated to include more information about these common problem areas? (https://wiki.ubuntu.com/Kernel/Livepatch)

We could then link to that wiki page from the notification, or from the livepatch panel in Software & Updates.

I will ask for input from design here too.

tags: added: needs-design
Revision history for this message
Will Cooke (willcooke) wrote :

I've updated this wiki page:
https://wiki.ubuntu.com/Kernel/Livepatch

We can now open that URL for users when they click on /something/. Either the bubble or the "More info" link from Software & Updates. I've ask mpt to take a look at the design.

Revision history for this message
Matthew Paul Thomas (mpt) wrote :

If you aren’t signed in to Ubuntu One, that’s not an “error”, it’s just a reason that you can’t use Livepatch right now. So we make you sign in before turning on Livepatch in the first place. And if you become signed-out after Livepatch is turned on, a dialog should direct you back to the settings to resolve the situation (though it seems I never specced the dialog part, oops).

I think the same applies to having Secure Boot on without the Livepatch key imported. It’s a situation we understand, and there is a way to fix it, so it needn’t be a grumpy “error”, it’s just a reason that you can’t use Livepatch right now. (That the moment we discover it happens to be while applying an update is an implementation detail, it’s not the fault of that particular update.) We could guide you to import the key, then restart, before turning on Livepatch in the first place. And if you turn on Secure Boot — or un-import the key? — after Livepatch is turned on, a dialog could direct you back to the settings to resolve the situation.

Questions:

1. Is that approach practical? That is, detect Secure Boot and key-import state whenever you navigate to this settings tab, with a button to open a PolicyKit dialog for you to import the key then restart. And an equivalent button in a dialog if a Livepatch update doesn’t apply for that reason.

2. If it is practical, should I go ahead and design it in more detail, or is it so complicated + common that we need temporary help text instead for 19.10?

Revision history for this message
Will Cooke (willcooke) wrote :

We dont need to worry about 19.10 as Livepatches aren't produced for non-LTS releases.

I think we need to do some research in to how to best detect if Secureboot is enabled or not. If we can do that without too much bother we /could/ look at that setting, and at the error text produced by the livepatch cli and tie the two together. That feels a bit clunky though. I'll ask whoever is going to work on this to comment here.

Revision history for this message
Matthew Paul Thomas (mpt) wrote :

Whoops, I forgot that Livepatch was LTS-only. I guess that gives us more time to fix it nicely.

I don’t see why we’d need to look at error text from the Livepatch CLI — if we can detect that Secure Boot is on, we already know Livepatch isn’t going to work, regardless of whether canonical-livepatch is running at the moment.

Meanwhile, it occurs to me that for “a dialog if a Livepatch update doesn’t apply”, that dialog could be the Software Updater prompt — which is going to appear anyway, and already promotes Livepatch if it’s off (cf. bug 1807900), and should therefore be smart enough to do something different if Livepatch is turned on but not working. That would avoid any increase in total interruptions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.