2017-10-24 10:38:37 |
Patrick Thomas |
bug |
|
|
added bug |
2017-10-24 10:40:12 |
Apport retracing service |
tags |
amd64 apport-package need-duplicate-check xenial |
amd64 apport-package xenial |
|
2017-10-24 10:40:13 |
Apport retracing service |
bug |
|
|
added subscriber Crash bug triagers for Ubuntu packages |
2017-10-24 19:05:16 |
Steve Langasek |
affects |
shim-signed (Ubuntu) |
unattended-upgrades (Ubuntu) |
|
2017-10-24 21:43:55 |
Launchpad Janitor |
unattended-upgrades (Ubuntu): status |
New |
Confirmed |
|
2017-10-24 22:16:40 |
Steve Langasek |
affects |
unattended-upgrades (Ubuntu) |
shim-signed (Ubuntu) |
|
2017-10-24 22:16:40 |
Steve Langasek |
shim-signed (Ubuntu): importance |
Undecided |
High |
|
2017-10-24 22:16:40 |
Steve Langasek |
shim-signed (Ubuntu): status |
Confirmed |
Triaged |
|
2017-10-24 22:16:49 |
Steve Langasek |
bug |
|
|
added subscriber Mathieu Trudel-Lapierre |
2017-10-25 16:40:13 |
Steve Langasek |
summary |
package shim-signed 1.32~16.04.1+0.9+1474479173.6c180c6-1ubuntu1 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1 |
unattended-upgrades + nvidia stack upgrade == dkms fail (package shim-signed 1.32~16.04.1+0.9+1474479173.6c180c6-1ubuntu1 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1) |
|
2017-10-31 15:32:48 |
Brian Murray |
tags |
amd64 apport-package xenial |
amd64 apport-package rls-bb-incoming xenial |
|
2017-11-09 16:31:20 |
Steve Langasek |
nominated for series |
|
Ubuntu Bionic |
|
2017-11-09 16:31:20 |
Steve Langasek |
bug task added |
|
shim-signed (Ubuntu Bionic) |
|
2017-11-09 16:31:30 |
Steve Langasek |
tags |
amd64 apport-package rls-bb-incoming xenial |
amd64 apport-package xenial |
|
2018-03-27 12:22:16 |
Francis Ginther |
tags |
amd64 apport-package xenial |
amd64 apport-package id-5ab94d1375e8d544f030e3fa xenial |
|
2018-10-08 21:19:48 |
Balint Reczey |
shim-signed (Ubuntu): status |
Triaged |
In Progress |
|
2018-10-08 21:20:03 |
Balint Reczey |
shim-signed (Ubuntu): assignee |
|
Balint Reczey (rbalint) |
|
2018-10-09 14:22:59 |
Balint Reczey |
description |
Occurred a minute after logging in
ProblemType: Package
DistroRelease: Ubuntu 16.04
Package: shim-signed 1.32~16.04.1+0.9+1474479173.6c180c6-1ubuntu1
ProcVersionSignature: Ubuntu 4.10.0-37.41~16.04.1-generic 4.10.17
Uname: Linux 4.10.0-37-generic x86_64
.proc.sys.kernel.moksbstate_disabled: 0
ApportVersion: 2.20.1-0ubuntu2.10
Architecture: amd64
Date: Tue Oct 24 11:35:53 2017
EFITables:
Oct 24 11:33:04 paddy-laptop kernel: efi: EFI v2.40 by American Megatrends
Oct 24 11:33:04 paddy-laptop kernel: efi: ACPI=0x78660000 ACPI 2.0=0x78660000 SMBIOS=0xf0000 SMBIOS 3.0=0xf0020 ESRT=0x79360598
Oct 24 11:33:04 paddy-laptop kernel: esrt: Reserving ESRT space from 0x0000000079360598 to 0x00000000793605d0.
Oct 24 11:33:04 paddy-laptop kernel: Secure boot enabled
ErrorMessage: subprocess installed post-installation script returned error exit status 1
InstallationDate: Installed on 2017-09-11 (42 days ago)
InstallationMedia: Ubuntu 16.04.3 LTS "Xenial Xerus" - Release amd64 (20170801)
RelatedPackageVersions:
dpkg 1.18.4ubuntu1.2
apt 1.2.24
SecureBoot: 6 0 0 0 1
SourcePackage: shim-signed
Title: package shim-signed 1.32~16.04.1+0.9+1474479173.6c180c6-1ubuntu1 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1
UpgradeStatus: No upgrade log present (probably fresh install) |
[Impact] (WIP)
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
[Test Case]
1. Set up a fully - or almost fully updated Bionic system.
2. Install packagages to trigger the block:
apt install dkms shim-signed r8168-dkms
3. Fake enabled secure boot:
echo "shim-signed shim/enable_secureboot boolean true" | debconf-set-selections
4. Add and enable PPA hosting updated dkms package pulling in a new dkms-like dependency:
add-apt-repository ppa:rbalint/scratch
echo 'Unattended-Upgrade::Allowed-Origins {"LP-PPA-rbalint-scratch:${distro_codename}";}' > /etc/apt/apt.conf.d/51unattended-upgrades-all
5. Observe u-u keeping back the new package:
unattended-upgrade --verbose --dry-run --debug
...
Checking: r8168-dkms ([<Origin component:'main' archive:'bionic' origin:'LP-PPA-rbalint-scratch' label:"Scratch space, don't use" site:'ppa.launchpad.net' isTrusted:True>])
pkg new-dkms-dep may trigger secure boot key prompt
sanity check failed
...
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Original Bug Text]
Occurred a minute after logging in
ProblemType: Package
DistroRelease: Ubuntu 16.04
Package: shim-signed 1.32~16.04.1+0.9+1474479173.6c180c6-1ubuntu1
ProcVersionSignature: Ubuntu 4.10.0-37.41~16.04.1-generic 4.10.17
Uname: Linux 4.10.0-37-generic x86_64
.proc.sys.kernel.moksbstate_disabled: 0
ApportVersion: 2.20.1-0ubuntu2.10
Architecture: amd64
Date: Tue Oct 24 11:35:53 2017
EFITables:
Oct 24 11:33:04 paddy-laptop kernel: efi: EFI v2.40 by American Megatrends
Oct 24 11:33:04 paddy-laptop kernel: efi: ACPI=0x78660000 ACPI 2.0=0x78660000 SMBIOS=0xf0000 SMBIOS 3.0=0xf0020 ESRT=0x79360598
Oct 24 11:33:04 paddy-laptop kernel: esrt: Reserving ESRT space from 0x0000000079360598 to 0x00000000793605d0.
Oct 24 11:33:04 paddy-laptop kernel: Secure boot enabled
ErrorMessage: subprocess installed post-installation script returned error exit status 1
InstallationDate: Installed on 2017-09-11 (42 days ago)
InstallationMedia: Ubuntu 16.04.3 LTS "Xenial Xerus" - Release amd64 (20170801)
RelatedPackageVersions:
dpkg 1.18.4ubuntu1.2
apt 1.2.24
SecureBoot: 6 0 0 0 1
SourcePackage: shim-signed
Title: package shim-signed 1.32~16.04.1+0.9+1474479173.6c180c6-1ubuntu1 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1
UpgradeStatus: No upgrade log present (probably fresh install) |
|
2018-10-09 16:23:51 |
Balint Reczey |
description |
[Impact] (WIP)
* An explanation of the effects of the bug on users and
* justification for backporting the fix to the stable release.
* In addition, it is helpful, but not required, to include an
explanation of how the upload fixes this bug.
[Test Case]
1. Set up a fully - or almost fully updated Bionic system.
2. Install packagages to trigger the block:
apt install dkms shim-signed r8168-dkms
3. Fake enabled secure boot:
echo "shim-signed shim/enable_secureboot boolean true" | debconf-set-selections
4. Add and enable PPA hosting updated dkms package pulling in a new dkms-like dependency:
add-apt-repository ppa:rbalint/scratch
echo 'Unattended-Upgrade::Allowed-Origins {"LP-PPA-rbalint-scratch:${distro_codename}";}' > /etc/apt/apt.conf.d/51unattended-upgrades-all
5. Observe u-u keeping back the new package:
unattended-upgrade --verbose --dry-run --debug
...
Checking: r8168-dkms ([<Origin component:'main' archive:'bionic' origin:'LP-PPA-rbalint-scratch' label:"Scratch space, don't use" site:'ppa.launchpad.net' isTrusted:True>])
pkg new-dkms-dep may trigger secure boot key prompt
sanity check failed
...
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Original Bug Text]
Occurred a minute after logging in
ProblemType: Package
DistroRelease: Ubuntu 16.04
Package: shim-signed 1.32~16.04.1+0.9+1474479173.6c180c6-1ubuntu1
ProcVersionSignature: Ubuntu 4.10.0-37.41~16.04.1-generic 4.10.17
Uname: Linux 4.10.0-37-generic x86_64
.proc.sys.kernel.moksbstate_disabled: 0
ApportVersion: 2.20.1-0ubuntu2.10
Architecture: amd64
Date: Tue Oct 24 11:35:53 2017
EFITables:
Oct 24 11:33:04 paddy-laptop kernel: efi: EFI v2.40 by American Megatrends
Oct 24 11:33:04 paddy-laptop kernel: efi: ACPI=0x78660000 ACPI 2.0=0x78660000 SMBIOS=0xf0000 SMBIOS 3.0=0xf0020 ESRT=0x79360598
Oct 24 11:33:04 paddy-laptop kernel: esrt: Reserving ESRT space from 0x0000000079360598 to 0x00000000793605d0.
Oct 24 11:33:04 paddy-laptop kernel: Secure boot enabled
ErrorMessage: subprocess installed post-installation script returned error exit status 1
InstallationDate: Installed on 2017-09-11 (42 days ago)
InstallationMedia: Ubuntu 16.04.3 LTS "Xenial Xerus" - Release amd64 (20170801)
RelatedPackageVersions:
dpkg 1.18.4ubuntu1.2
apt 1.2.24
SecureBoot: 6 0 0 0 1
SourcePackage: shim-signed
Title: package shim-signed 1.32~16.04.1+0.9+1474479173.6c180c6-1ubuntu1 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1
UpgradeStatus: No upgrade log present (probably fresh install) |
[Impact]
* When Secure Boot is enabled and a new dkms module is installed sim-signed asks for a new Secure Boot key, or aborts package installation in non-interactive mode. When unattended-upgrades performed the upgrade the aborted installation leaves an unconfigured system behind that may even fail to boot.
* The fix in u-u detects new dkms-related packages and holds them back from installation.
[Test Case]
1. Set up a fully - or almost fully updated Bionic system.
2. Install packagages to trigger the block:
apt install dkms shim-signed r8168-dkms
3. Fake enabled secure boot:
echo "shim-signed shim/enable_secureboot boolean true" | debconf-set-selections
4. Add and enable PPA hosting updated dkms package pulling in a new dkms-like dependency:
add-apt-repository ppa:rbalint/scratch
echo 'Unattended-Upgrade::Allowed-Origins {"LP-PPA-rbalint-scratch:${distro_codename}";}' > /etc/apt/apt.conf.d/51unattended-upgrades-all
5. Observe u-u keeping back the new package:
unattended-upgrade --verbose --dry-run --debug
...
Checking: r8168-dkms ([<Origin component:'main' archive:'bionic' origin:'LP-PPA-rbalint-scratch' label:"Scratch space, don't use" site:'ppa.launchpad.net' isTrusted:True>])
pkg new-dkms-dep may trigger secure boot key prompt
sanity check failed
...
[Regression Potential]
* Since the fix is holding back packages from installation it is expected that systems that would have otherwise broke during the installation would not receive all updates. Since exact detection of the installation failure reported here does not seem possible u-u holds back more packages than it would be absolutely necessary.
* Administrators are expected to set up email notifications about the updates performed by u-u and act on held back packages.
* Since updates pulling in new packages are fairly rare especially in the -security pocket which u-u installs from by default unwanted regressions are unlikely to show up.
[Original Bug Text]
Occurred a minute after logging in
ProblemType: Package
DistroRelease: Ubuntu 16.04
Package: shim-signed 1.32~16.04.1+0.9+1474479173.6c180c6-1ubuntu1
ProcVersionSignature: Ubuntu 4.10.0-37.41~16.04.1-generic 4.10.17
Uname: Linux 4.10.0-37-generic x86_64
.proc.sys.kernel.moksbstate_disabled: 0
ApportVersion: 2.20.1-0ubuntu2.10
Architecture: amd64
Date: Tue Oct 24 11:35:53 2017
EFITables:
Oct 24 11:33:04 paddy-laptop kernel: efi: EFI v2.40 by American Megatrends
Oct 24 11:33:04 paddy-laptop kernel: efi: ACPI=0x78660000 ACPI 2.0=0x78660000 SMBIOS=0xf0000 SMBIOS 3.0=0xf0020 ESRT=0x79360598
Oct 24 11:33:04 paddy-laptop kernel: esrt: Reserving ESRT space from 0x0000000079360598 to 0x00000000793605d0.
Oct 24 11:33:04 paddy-laptop kernel: Secure boot enabled
ErrorMessage: subprocess installed post-installation script returned error exit status 1
InstallationDate: Installed on 2017-09-11 (42 days ago)
InstallationMedia: Ubuntu 16.04.3 LTS "Xenial Xerus" - Release amd64 (20170801)
RelatedPackageVersions:
dpkg 1.18.4ubuntu1.2
apt 1.2.24
SecureBoot: 6 0 0 0 1
SourcePackage: shim-signed
Title: package shim-signed 1.32~16.04.1+0.9+1474479173.6c180c6-1ubuntu1 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1
UpgradeStatus: No upgrade log present (probably fresh install) |
|
2018-10-09 16:24:05 |
Balint Reczey |
bug task added |
|
unattended-upgrades (Ubuntu) |
|
2018-10-09 16:24:36 |
Balint Reczey |
shim-signed (Ubuntu): status |
In Progress |
Confirmed |
|
2018-10-09 16:24:39 |
Balint Reczey |
shim-signed (Ubuntu): status |
Confirmed |
New |
|
2018-10-09 16:24:44 |
Balint Reczey |
unattended-upgrades (Ubuntu): status |
New |
In Progress |
|
2018-10-09 18:05:19 |
Steve Langasek |
unattended-upgrades (Ubuntu Bionic): status |
New |
Incomplete |
|
2018-10-09 18:05:22 |
Steve Langasek |
unattended-upgrades (Ubuntu): status |
In Progress |
Incomplete |
|
2018-10-10 21:19:03 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~rbalint/shim/+git/shim-signed/+merge/356440 |
|
2018-10-10 21:22:17 |
Balint Reczey |
shim-signed (Ubuntu): status |
New |
In Progress |
|
2018-10-11 16:15:16 |
Balint Reczey |
shim-signed (Ubuntu): status |
In Progress |
Fix Committed |
|
2018-10-12 11:06:33 |
Balint Reczey |
description |
[Impact]
* When Secure Boot is enabled and a new dkms module is installed sim-signed asks for a new Secure Boot key, or aborts package installation in non-interactive mode. When unattended-upgrades performed the upgrade the aborted installation leaves an unconfigured system behind that may even fail to boot.
* The fix in u-u detects new dkms-related packages and holds them back from installation.
[Test Case]
1. Set up a fully - or almost fully updated Bionic system.
2. Install packagages to trigger the block:
apt install dkms shim-signed r8168-dkms
3. Fake enabled secure boot:
echo "shim-signed shim/enable_secureboot boolean true" | debconf-set-selections
4. Add and enable PPA hosting updated dkms package pulling in a new dkms-like dependency:
add-apt-repository ppa:rbalint/scratch
echo 'Unattended-Upgrade::Allowed-Origins {"LP-PPA-rbalint-scratch:${distro_codename}";}' > /etc/apt/apt.conf.d/51unattended-upgrades-all
5. Observe u-u keeping back the new package:
unattended-upgrade --verbose --dry-run --debug
...
Checking: r8168-dkms ([<Origin component:'main' archive:'bionic' origin:'LP-PPA-rbalint-scratch' label:"Scratch space, don't use" site:'ppa.launchpad.net' isTrusted:True>])
pkg new-dkms-dep may trigger secure boot key prompt
sanity check failed
...
[Regression Potential]
* Since the fix is holding back packages from installation it is expected that systems that would have otherwise broke during the installation would not receive all updates. Since exact detection of the installation failure reported here does not seem possible u-u holds back more packages than it would be absolutely necessary.
* Administrators are expected to set up email notifications about the updates performed by u-u and act on held back packages.
* Since updates pulling in new packages are fairly rare especially in the -security pocket which u-u installs from by default unwanted regressions are unlikely to show up.
[Original Bug Text]
Occurred a minute after logging in
ProblemType: Package
DistroRelease: Ubuntu 16.04
Package: shim-signed 1.32~16.04.1+0.9+1474479173.6c180c6-1ubuntu1
ProcVersionSignature: Ubuntu 4.10.0-37.41~16.04.1-generic 4.10.17
Uname: Linux 4.10.0-37-generic x86_64
.proc.sys.kernel.moksbstate_disabled: 0
ApportVersion: 2.20.1-0ubuntu2.10
Architecture: amd64
Date: Tue Oct 24 11:35:53 2017
EFITables:
Oct 24 11:33:04 paddy-laptop kernel: efi: EFI v2.40 by American Megatrends
Oct 24 11:33:04 paddy-laptop kernel: efi: ACPI=0x78660000 ACPI 2.0=0x78660000 SMBIOS=0xf0000 SMBIOS 3.0=0xf0020 ESRT=0x79360598
Oct 24 11:33:04 paddy-laptop kernel: esrt: Reserving ESRT space from 0x0000000079360598 to 0x00000000793605d0.
Oct 24 11:33:04 paddy-laptop kernel: Secure boot enabled
ErrorMessage: subprocess installed post-installation script returned error exit status 1
InstallationDate: Installed on 2017-09-11 (42 days ago)
InstallationMedia: Ubuntu 16.04.3 LTS "Xenial Xerus" - Release amd64 (20170801)
RelatedPackageVersions:
dpkg 1.18.4ubuntu1.2
apt 1.2.24
SecureBoot: 6 0 0 0 1
SourcePackage: shim-signed
Title: package shim-signed 1.32~16.04.1+0.9+1474479173.6c180c6-1ubuntu1 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1
UpgradeStatus: No upgrade log present (probably fresh install) |
[Impact]
* When Secure Boot is enabled and MOK is not set and a new dkms module is installed sim-signed asks for a Secure Boot MOK, or aborts package installation in non-interactive mode. When unattended-upgrades performed the upgrade the aborted installation leaves an unconfigured system behind that may even fail to boot. In nvdidia's special case the new module is actually just a new version of the nvidia module which should be fine to install.
* The fix in shim-signed now handles nvidia dkms module directory renames as simple upgrades and also does not handle module removals as a reason to abort installation.
[Test Case (shim-signed)]
WIP
[Test Case (unattended-upgrades)]
1. Set up a fully - or almost fully updated Bionic system.
2. Install packagages to trigger the block:
apt install dkms shim-signed r8168-dkms
3. Fake enabled secure boot:
echo "shim-signed shim/enable_secureboot boolean true" | debconf-set-selections
4. Add and enable PPA hosting updated dkms package pulling in a new dkms-like dependency:
add-apt-repository ppa:rbalint/scratch
echo 'Unattended-Upgrade::Allowed-Origins {"LP-PPA-rbalint-scratch:${distro_codename}";}' > /etc/apt/apt.conf.d/51unattended-upgrades-all
5. Observe u-u keeping back the new package:
unattended-upgrade --verbose --dry-run --debug
...
Checking: r8168-dkms ([<Origin component:'main' archive:'bionic' origin:'LP-PPA-rbalint-scratch' label:"Scratch space, don't use" site:'ppa.launchpad.net' isTrusted:True>])
pkg new-dkms-dep may trigger secure boot key prompt
sanity check failed
...
[Regression Potential (shim-signed)]
* The fix lets installation of nvidia dkms module upgrades continue and also lets dkms module removals continue when MOK is not set and those should not cause regressions themselves. In case of an implementation mistake a new module installation could go undetected and could cause the system not load a dkms module on next boot.
In practice not loading new modules rarely cause regressions, but if a module is converted from being in the kernel to a dkms module upon an upgrade this is possible.
* I tested the module addition, removal, nvidia module upgrade and not module change cases with stubs pretending that the system is secure-boot capable an found the changed script working properly.
[Regression Potential (unattended-upgrades)]
* Since the fix is holding back packages from installation it is expected that systems that would have otherwise broke during the installation would not receive all updates. Since exact detection of the installation failure reported here does not seem possible u-u holds back more packages than it would be absolutely necessary.
* Administrators are expected to set up email notifications about the updates performed by u-u and act on held back packages.
* Since updates pulling in new packages are fairly rare especially in the -security pocket which u-u installs from by default unwanted regressions are unlikely to show up.
[Original Bug Text]
Occurred a minute after logging in
ProblemType: Package
DistroRelease: Ubuntu 16.04
Package: shim-signed 1.32~16.04.1+0.9+1474479173.6c180c6-1ubuntu1
ProcVersionSignature: Ubuntu 4.10.0-37.41~16.04.1-generic 4.10.17
Uname: Linux 4.10.0-37-generic x86_64
.proc.sys.kernel.moksbstate_disabled: 0
ApportVersion: 2.20.1-0ubuntu2.10
Architecture: amd64
Date: Tue Oct 24 11:35:53 2017
EFITables:
Oct 24 11:33:04 paddy-laptop kernel: efi: EFI v2.40 by American Megatrends
Oct 24 11:33:04 paddy-laptop kernel: efi: ACPI=0x78660000 ACPI 2.0=0x78660000 SMBIOS=0xf0000 SMBIOS 3.0=0xf0020 ESRT=0x79360598
Oct 24 11:33:04 paddy-laptop kernel: esrt: Reserving ESRT space from 0x0000000079360598 to 0x00000000793605d0.
Oct 24 11:33:04 paddy-laptop kernel: Secure boot enabled
ErrorMessage: subprocess installed post-installation script returned error exit status 1
InstallationDate: Installed on 2017-09-11 (42 days ago)
InstallationMedia: Ubuntu 16.04.3 LTS "Xenial Xerus" - Release amd64 (20170801)
RelatedPackageVersions:
dpkg 1.18.4ubuntu1.2
apt 1.2.24
SecureBoot: 6 0 0 0 1
SourcePackage: shim-signed
Title: package shim-signed 1.32~16.04.1+0.9+1474479173.6c180c6-1ubuntu1 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1
UpgradeStatus: No upgrade log present (probably fresh install) |
|
2018-10-12 18:08:17 |
Launchpad Janitor |
shim-signed (Ubuntu): status |
Fix Committed |
Fix Released |
|
2018-10-25 19:12:51 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~rbalint/shim/+git/shim-signed/+merge/357843 |
|
2018-10-26 17:19:53 |
Balint Reczey |
description |
[Impact]
* When Secure Boot is enabled and MOK is not set and a new dkms module is installed sim-signed asks for a Secure Boot MOK, or aborts package installation in non-interactive mode. When unattended-upgrades performed the upgrade the aborted installation leaves an unconfigured system behind that may even fail to boot. In nvdidia's special case the new module is actually just a new version of the nvidia module which should be fine to install.
* The fix in shim-signed now handles nvidia dkms module directory renames as simple upgrades and also does not handle module removals as a reason to abort installation.
[Test Case (shim-signed)]
WIP
[Test Case (unattended-upgrades)]
1. Set up a fully - or almost fully updated Bionic system.
2. Install packagages to trigger the block:
apt install dkms shim-signed r8168-dkms
3. Fake enabled secure boot:
echo "shim-signed shim/enable_secureboot boolean true" | debconf-set-selections
4. Add and enable PPA hosting updated dkms package pulling in a new dkms-like dependency:
add-apt-repository ppa:rbalint/scratch
echo 'Unattended-Upgrade::Allowed-Origins {"LP-PPA-rbalint-scratch:${distro_codename}";}' > /etc/apt/apt.conf.d/51unattended-upgrades-all
5. Observe u-u keeping back the new package:
unattended-upgrade --verbose --dry-run --debug
...
Checking: r8168-dkms ([<Origin component:'main' archive:'bionic' origin:'LP-PPA-rbalint-scratch' label:"Scratch space, don't use" site:'ppa.launchpad.net' isTrusted:True>])
pkg new-dkms-dep may trigger secure boot key prompt
sanity check failed
...
[Regression Potential (shim-signed)]
* The fix lets installation of nvidia dkms module upgrades continue and also lets dkms module removals continue when MOK is not set and those should not cause regressions themselves. In case of an implementation mistake a new module installation could go undetected and could cause the system not load a dkms module on next boot.
In practice not loading new modules rarely cause regressions, but if a module is converted from being in the kernel to a dkms module upon an upgrade this is possible.
* I tested the module addition, removal, nvidia module upgrade and not module change cases with stubs pretending that the system is secure-boot capable an found the changed script working properly.
[Regression Potential (unattended-upgrades)]
* Since the fix is holding back packages from installation it is expected that systems that would have otherwise broke during the installation would not receive all updates. Since exact detection of the installation failure reported here does not seem possible u-u holds back more packages than it would be absolutely necessary.
* Administrators are expected to set up email notifications about the updates performed by u-u and act on held back packages.
* Since updates pulling in new packages are fairly rare especially in the -security pocket which u-u installs from by default unwanted regressions are unlikely to show up.
[Original Bug Text]
Occurred a minute after logging in
ProblemType: Package
DistroRelease: Ubuntu 16.04
Package: shim-signed 1.32~16.04.1+0.9+1474479173.6c180c6-1ubuntu1
ProcVersionSignature: Ubuntu 4.10.0-37.41~16.04.1-generic 4.10.17
Uname: Linux 4.10.0-37-generic x86_64
.proc.sys.kernel.moksbstate_disabled: 0
ApportVersion: 2.20.1-0ubuntu2.10
Architecture: amd64
Date: Tue Oct 24 11:35:53 2017
EFITables:
Oct 24 11:33:04 paddy-laptop kernel: efi: EFI v2.40 by American Megatrends
Oct 24 11:33:04 paddy-laptop kernel: efi: ACPI=0x78660000 ACPI 2.0=0x78660000 SMBIOS=0xf0000 SMBIOS 3.0=0xf0020 ESRT=0x79360598
Oct 24 11:33:04 paddy-laptop kernel: esrt: Reserving ESRT space from 0x0000000079360598 to 0x00000000793605d0.
Oct 24 11:33:04 paddy-laptop kernel: Secure boot enabled
ErrorMessage: subprocess installed post-installation script returned error exit status 1
InstallationDate: Installed on 2017-09-11 (42 days ago)
InstallationMedia: Ubuntu 16.04.3 LTS "Xenial Xerus" - Release amd64 (20170801)
RelatedPackageVersions:
dpkg 1.18.4ubuntu1.2
apt 1.2.24
SecureBoot: 6 0 0 0 1
SourcePackage: shim-signed
Title: package shim-signed 1.32~16.04.1+0.9+1474479173.6c180c6-1ubuntu1 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1
UpgradeStatus: No upgrade log present (probably fresh install) |
[Impact]
* When Secure Boot is enabled and MOK is not set and a new dkms module is installed sim-signed asks for a Secure Boot MOK, or aborts package installation in non-interactive mode. When unattended-upgrades performed the upgrade the aborted installation leaves an unconfigured system behind that may even fail to boot. In nvdidia's special case the new module is actually just a new version of the nvidia module which should be fine to install.
* The fix in shim-signed now handles nvidia dkms module directory renames as simple upgrades and also does not handle module removals as a reason to abort installation.
[Test Case (shim-signed)]
1. Set up Bionic system with Secure Boot enabled.
2. Install packagages to trigger MOK enrollment and enroll the key:
apt install dkms shim-signed r8168-dkms
3. Create a new key to be enrolled again:
rm /var/lib/shim-signed/mok/MOK.der
update-secureboot-policy --new-key
4. Simulate module removal and test that the command returns 0:
# echo /var/lib/dkms/zzz >> /var/lib/shim-signed/dkms-list
# env DEBIAN_FRONTEND=noninteractive update-secureboot-policy --enroll-key; echo $?
Running in non-interactive mode, doing nothing.
0
5. Simulate nvidia module rname and test that the command returns 0:
# cat > /var/lib/shim-signed/dkms-list <<EOF
/var/lib/dkms
/var/lib/dkms/nvidia-1
/var/lib/dkms/r8168
EOF
# mkdir /var/lib/dkms/nvidia
# env DEBIAN_FRONTEND=noninteractive ./update-secureboot-policy --enroll-key; echo $?
Running in non-interactive mode, doing nothing.
0
6. Simulate addition of nvidia driver, it should still return 1:
# cat > /var/lib/shim-signed/dkms-list <<EOF
/var/lib/dkms
/var/lib/dkms/r8168
EOF
# env DEBIAN_FRONTEND=noninteractive ./update-secureboot-policy --enroll-key; echo $?Running in non-interactive mode, doing nothing.
--- /var/lib/shim-signed/dkms-list 2018-10-26 19:19:19.526697542 +0200
+++ /var/lib/shim-signed/dkms-list.new 2018-10-26 19:19:19.530697604 +0200
@@ -1,2 +1,3 @@
/var/lib/dkms
+/var/lib/dkms/nvidia
/var/lib/dkms/r8168
1
[Test Case (unattended-upgrades)]
1. Set up a fully - or almost fully updated Bionic system.
2. Install packagages to trigger the block:
apt install dkms shim-signed r8168-dkms
3. Fake enabled secure boot:
echo "shim-signed shim/enable_secureboot boolean true" | debconf-set-selections
4. Add and enable PPA hosting updated dkms package pulling in a new dkms-like dependency:
add-apt-repository ppa:rbalint/scratch
echo 'Unattended-Upgrade::Allowed-Origins {"LP-PPA-rbalint-scratch:${distro_codename}";}' > /etc/apt/apt.conf.d/51unattended-upgrades-all
5. Observe u-u keeping back the new package:
unattended-upgrade --verbose --dry-run --debug
...
Checking: r8168-dkms ([<Origin component:'main' archive:'bionic' origin:'LP-PPA-rbalint-scratch' label:"Scratch space, don't use" site:'ppa.launchpad.net' isTrusted:True>])
pkg new-dkms-dep may trigger secure boot key prompt
sanity check failed
...
[Regression Potential (shim-signed)]
* The fix lets installation of nvidia dkms module upgrades continue and also lets dkms module removals continue when MOK is not set and those should not cause regressions themselves. In case of an implementation mistake a new module installation could go undetected and could cause the system not load a dkms module on next boot.
In practice not loading new modules rarely cause regressions, but if a module is converted from being in the kernel to a dkms module upon an upgrade this is possible.
* I tested the module addition, removal, nvidia module upgrade and not module change cases with stubs pretending that the system is secure-boot capable an found the changed script working properly.
[Regression Potential (unattended-upgrades)]
* Since the fix is holding back packages from installation it is expected that systems that would have otherwise broke during the installation would not receive all updates. Since exact detection of the installation failure reported here does not seem possible u-u holds back more packages than it would be absolutely necessary.
* Administrators are expected to set up email notifications about the updates performed by u-u and act on held back packages.
* Since updates pulling in new packages are fairly rare especially in the -security pocket which u-u installs from by default unwanted regressions are unlikely to show up.
[Original Bug Text]
Occurred a minute after logging in
ProblemType: Package
DistroRelease: Ubuntu 16.04
Package: shim-signed 1.32~16.04.1+0.9+1474479173.6c180c6-1ubuntu1
ProcVersionSignature: Ubuntu 4.10.0-37.41~16.04.1-generic 4.10.17
Uname: Linux 4.10.0-37-generic x86_64
.proc.sys.kernel.moksbstate_disabled: 0
ApportVersion: 2.20.1-0ubuntu2.10
Architecture: amd64
Date: Tue Oct 24 11:35:53 2017
EFITables:
Oct 24 11:33:04 paddy-laptop kernel: efi: EFI v2.40 by American Megatrends
Oct 24 11:33:04 paddy-laptop kernel: efi: ACPI=0x78660000 ACPI 2.0=0x78660000 SMBIOS=0xf0000 SMBIOS 3.0=0xf0020 ESRT=0x79360598
Oct 24 11:33:04 paddy-laptop kernel: esrt: Reserving ESRT space from 0x0000000079360598 to 0x00000000793605d0.
Oct 24 11:33:04 paddy-laptop kernel: Secure boot enabled
ErrorMessage: subprocess installed post-installation script returned error exit status 1
InstallationDate: Installed on 2017-09-11 (42 days ago)
InstallationMedia: Ubuntu 16.04.3 LTS "Xenial Xerus" - Release amd64 (20170801)
RelatedPackageVersions:
dpkg 1.18.4ubuntu1.2
apt 1.2.24
SecureBoot: 6 0 0 0 1
SourcePackage: shim-signed
Title: package shim-signed 1.32~16.04.1+0.9+1474479173.6c180c6-1ubuntu1 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1
UpgradeStatus: No upgrade log present (probably fresh install) |
|
2018-10-29 21:38:42 |
Brian Murray |
shim-signed (Ubuntu Bionic): status |
Triaged |
Fix Committed |
|
2018-10-29 21:38:45 |
Brian Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2018-10-29 21:38:48 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
2018-10-29 21:38:53 |
Brian Murray |
tags |
amd64 apport-package id-5ab94d1375e8d544f030e3fa xenial |
amd64 apport-package id-5ab94d1375e8d544f030e3fa verification-needed verification-needed-bionic xenial |
|
2018-10-30 07:16:36 |
Andre Valdestilhas |
bug |
|
|
added subscriber Andre Valdestilhas |
2018-11-06 16:46:31 |
Balint Reczey |
description |
[Impact]
* When Secure Boot is enabled and MOK is not set and a new dkms module is installed sim-signed asks for a Secure Boot MOK, or aborts package installation in non-interactive mode. When unattended-upgrades performed the upgrade the aborted installation leaves an unconfigured system behind that may even fail to boot. In nvdidia's special case the new module is actually just a new version of the nvidia module which should be fine to install.
* The fix in shim-signed now handles nvidia dkms module directory renames as simple upgrades and also does not handle module removals as a reason to abort installation.
[Test Case (shim-signed)]
1. Set up Bionic system with Secure Boot enabled.
2. Install packagages to trigger MOK enrollment and enroll the key:
apt install dkms shim-signed r8168-dkms
3. Create a new key to be enrolled again:
rm /var/lib/shim-signed/mok/MOK.der
update-secureboot-policy --new-key
4. Simulate module removal and test that the command returns 0:
# echo /var/lib/dkms/zzz >> /var/lib/shim-signed/dkms-list
# env DEBIAN_FRONTEND=noninteractive update-secureboot-policy --enroll-key; echo $?
Running in non-interactive mode, doing nothing.
0
5. Simulate nvidia module rname and test that the command returns 0:
# cat > /var/lib/shim-signed/dkms-list <<EOF
/var/lib/dkms
/var/lib/dkms/nvidia-1
/var/lib/dkms/r8168
EOF
# mkdir /var/lib/dkms/nvidia
# env DEBIAN_FRONTEND=noninteractive ./update-secureboot-policy --enroll-key; echo $?
Running in non-interactive mode, doing nothing.
0
6. Simulate addition of nvidia driver, it should still return 1:
# cat > /var/lib/shim-signed/dkms-list <<EOF
/var/lib/dkms
/var/lib/dkms/r8168
EOF
# env DEBIAN_FRONTEND=noninteractive ./update-secureboot-policy --enroll-key; echo $?Running in non-interactive mode, doing nothing.
--- /var/lib/shim-signed/dkms-list 2018-10-26 19:19:19.526697542 +0200
+++ /var/lib/shim-signed/dkms-list.new 2018-10-26 19:19:19.530697604 +0200
@@ -1,2 +1,3 @@
/var/lib/dkms
+/var/lib/dkms/nvidia
/var/lib/dkms/r8168
1
[Test Case (unattended-upgrades)]
1. Set up a fully - or almost fully updated Bionic system.
2. Install packagages to trigger the block:
apt install dkms shim-signed r8168-dkms
3. Fake enabled secure boot:
echo "shim-signed shim/enable_secureboot boolean true" | debconf-set-selections
4. Add and enable PPA hosting updated dkms package pulling in a new dkms-like dependency:
add-apt-repository ppa:rbalint/scratch
echo 'Unattended-Upgrade::Allowed-Origins {"LP-PPA-rbalint-scratch:${distro_codename}";}' > /etc/apt/apt.conf.d/51unattended-upgrades-all
5. Observe u-u keeping back the new package:
unattended-upgrade --verbose --dry-run --debug
...
Checking: r8168-dkms ([<Origin component:'main' archive:'bionic' origin:'LP-PPA-rbalint-scratch' label:"Scratch space, don't use" site:'ppa.launchpad.net' isTrusted:True>])
pkg new-dkms-dep may trigger secure boot key prompt
sanity check failed
...
[Regression Potential (shim-signed)]
* The fix lets installation of nvidia dkms module upgrades continue and also lets dkms module removals continue when MOK is not set and those should not cause regressions themselves. In case of an implementation mistake a new module installation could go undetected and could cause the system not load a dkms module on next boot.
In practice not loading new modules rarely cause regressions, but if a module is converted from being in the kernel to a dkms module upon an upgrade this is possible.
* I tested the module addition, removal, nvidia module upgrade and not module change cases with stubs pretending that the system is secure-boot capable an found the changed script working properly.
[Regression Potential (unattended-upgrades)]
* Since the fix is holding back packages from installation it is expected that systems that would have otherwise broke during the installation would not receive all updates. Since exact detection of the installation failure reported here does not seem possible u-u holds back more packages than it would be absolutely necessary.
* Administrators are expected to set up email notifications about the updates performed by u-u and act on held back packages.
* Since updates pulling in new packages are fairly rare especially in the -security pocket which u-u installs from by default unwanted regressions are unlikely to show up.
[Original Bug Text]
Occurred a minute after logging in
ProblemType: Package
DistroRelease: Ubuntu 16.04
Package: shim-signed 1.32~16.04.1+0.9+1474479173.6c180c6-1ubuntu1
ProcVersionSignature: Ubuntu 4.10.0-37.41~16.04.1-generic 4.10.17
Uname: Linux 4.10.0-37-generic x86_64
.proc.sys.kernel.moksbstate_disabled: 0
ApportVersion: 2.20.1-0ubuntu2.10
Architecture: amd64
Date: Tue Oct 24 11:35:53 2017
EFITables:
Oct 24 11:33:04 paddy-laptop kernel: efi: EFI v2.40 by American Megatrends
Oct 24 11:33:04 paddy-laptop kernel: efi: ACPI=0x78660000 ACPI 2.0=0x78660000 SMBIOS=0xf0000 SMBIOS 3.0=0xf0020 ESRT=0x79360598
Oct 24 11:33:04 paddy-laptop kernel: esrt: Reserving ESRT space from 0x0000000079360598 to 0x00000000793605d0.
Oct 24 11:33:04 paddy-laptop kernel: Secure boot enabled
ErrorMessage: subprocess installed post-installation script returned error exit status 1
InstallationDate: Installed on 2017-09-11 (42 days ago)
InstallationMedia: Ubuntu 16.04.3 LTS "Xenial Xerus" - Release amd64 (20170801)
RelatedPackageVersions:
dpkg 1.18.4ubuntu1.2
apt 1.2.24
SecureBoot: 6 0 0 0 1
SourcePackage: shim-signed
Title: package shim-signed 1.32~16.04.1+0.9+1474479173.6c180c6-1ubuntu1 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1
UpgradeStatus: No upgrade log present (probably fresh install) |
[Impact]
* When Secure Boot is enabled and MOK is not set and a new dkms module is installed sim-signed asks for a Secure Boot MOK, or aborts package installation in non-interactive mode. When unattended-upgrades performed the upgrade the aborted installation leaves an unconfigured system behind that may even fail to boot. In nvdidia's special case the new module is actually just a new version of the nvidia module which should be fine to install.
* The fix in shim-signed now handles nvidia dkms module directory renames as simple upgrades and also does not handle module removals as a reason to abort installation.
[Test Case (shim-signed)]
1. Set up Bionic system with Secure Boot enabled.
2. Install packagages to trigger MOK enrollment and enroll the key:
apt install dkms shim-signed r8168-dkms
3. Create a new key to be enrolled again:
rm /var/lib/shim-signed/mok/MOK.der
update-secureboot-policy --new-key
4. Simulate module removal and test that the command returns 0:
# echo /var/lib/dkms/zzz >> /var/lib/shim-signed/dkms-list
# env DEBIAN_FRONTEND=noninteractive update-secureboot-policy --enroll-key; echo $?
Running in non-interactive mode, doing nothing.
0
5. Simulate nvidia module rname and test that the command returns 0:
# cat > /var/lib/shim-signed/dkms-list <<EOF
/var/lib/dkms
/var/lib/dkms/nvidia-1
/var/lib/dkms/r8168
EOF
# mkdir /var/lib/dkms/nvidia
# env DEBIAN_FRONTEND=noninteractive update-secureboot-policy --enroll-key; echo $?
Running in non-interactive mode, doing nothing.
0
6. Simulate addition of nvidia driver, it should still return 1:
# cat > /var/lib/shim-signed/dkms-list <<EOF
/var/lib/dkms
/var/lib/dkms/r8168
EOF
# env DEBIAN_FRONTEND=noninteractive update-secureboot-policy --enroll-key; echo $?Running in non-interactive mode, doing nothing.
--- /var/lib/shim-signed/dkms-list 2018-10-26 19:19:19.526697542 +0200
+++ /var/lib/shim-signed/dkms-list.new 2018-10-26 19:19:19.530697604 +0200
@@ -1,2 +1,3 @@
/var/lib/dkms
+/var/lib/dkms/nvidia
/var/lib/dkms/r8168
1
[Test Case (unattended-upgrades)]
1. Set up a fully - or almost fully updated Bionic system.
2. Install packagages to trigger the block:
apt install dkms shim-signed r8168-dkms
3. Fake enabled secure boot:
echo "shim-signed shim/enable_secureboot boolean true" | debconf-set-selections
4. Add and enable PPA hosting updated dkms package pulling in a new dkms-like dependency:
add-apt-repository ppa:rbalint/scratch
echo 'Unattended-Upgrade::Allowed-Origins {"LP-PPA-rbalint-scratch:${distro_codename}";}' > /etc/apt/apt.conf.d/51unattended-upgrades-all
5. Observe u-u keeping back the new package:
unattended-upgrade --verbose --dry-run --debug
...
Checking: r8168-dkms ([<Origin component:'main' archive:'bionic' origin:'LP-PPA-rbalint-scratch' label:"Scratch space, don't use" site:'ppa.launchpad.net' isTrusted:True>])
pkg new-dkms-dep may trigger secure boot key prompt
sanity check failed
...
[Regression Potential (shim-signed)]
* The fix lets installation of nvidia dkms module upgrades continue and also lets dkms module removals continue when MOK is not set and those should not cause regressions themselves. In case of an implementation mistake a new module installation could go undetected and could cause the system not load a dkms module on next boot.
In practice not loading new modules rarely cause regressions, but if a module is converted from being in the kernel to a dkms module upon an upgrade this is possible.
* I tested the module addition, removal, nvidia module upgrade and not module change cases with stubs pretending that the system is secure-boot capable an found the changed script working properly.
[Regression Potential (unattended-upgrades)]
* Since the fix is holding back packages from installation it is expected that systems that would have otherwise broke during the installation would not receive all updates. Since exact detection of the installation failure reported here does not seem possible u-u holds back more packages than it would be absolutely necessary.
* Administrators are expected to set up email notifications about the updates performed by u-u and act on held back packages.
* Since updates pulling in new packages are fairly rare especially in the -security pocket which u-u installs from by default unwanted regressions are unlikely to show up.
[Original Bug Text]
Occurred a minute after logging in
ProblemType: Package
DistroRelease: Ubuntu 16.04
Package: shim-signed 1.32~16.04.1+0.9+1474479173.6c180c6-1ubuntu1
ProcVersionSignature: Ubuntu 4.10.0-37.41~16.04.1-generic 4.10.17
Uname: Linux 4.10.0-37-generic x86_64
.proc.sys.kernel.moksbstate_disabled: 0
ApportVersion: 2.20.1-0ubuntu2.10
Architecture: amd64
Date: Tue Oct 24 11:35:53 2017
EFITables:
Oct 24 11:33:04 paddy-laptop kernel: efi: EFI v2.40 by American Megatrends
Oct 24 11:33:04 paddy-laptop kernel: efi: ACPI=0x78660000 ACPI 2.0=0x78660000 SMBIOS=0xf0000 SMBIOS 3.0=0xf0020 ESRT=0x79360598
Oct 24 11:33:04 paddy-laptop kernel: esrt: Reserving ESRT space from 0x0000000079360598 to 0x00000000793605d0.
Oct 24 11:33:04 paddy-laptop kernel: Secure boot enabled
ErrorMessage: subprocess installed post-installation script returned error exit status 1
InstallationDate: Installed on 2017-09-11 (42 days ago)
InstallationMedia: Ubuntu 16.04.3 LTS "Xenial Xerus" - Release amd64 (20170801)
RelatedPackageVersions:
dpkg 1.18.4ubuntu1.2
apt 1.2.24
SecureBoot: 6 0 0 0 1
SourcePackage: shim-signed
Title: package shim-signed 1.32~16.04.1+0.9+1474479173.6c180c6-1ubuntu1 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1
UpgradeStatus: No upgrade log present (probably fresh install) |
|
2018-11-06 16:47:27 |
Balint Reczey |
description |
[Impact]
* When Secure Boot is enabled and MOK is not set and a new dkms module is installed sim-signed asks for a Secure Boot MOK, or aborts package installation in non-interactive mode. When unattended-upgrades performed the upgrade the aborted installation leaves an unconfigured system behind that may even fail to boot. In nvdidia's special case the new module is actually just a new version of the nvidia module which should be fine to install.
* The fix in shim-signed now handles nvidia dkms module directory renames as simple upgrades and also does not handle module removals as a reason to abort installation.
[Test Case (shim-signed)]
1. Set up Bionic system with Secure Boot enabled.
2. Install packagages to trigger MOK enrollment and enroll the key:
apt install dkms shim-signed r8168-dkms
3. Create a new key to be enrolled again:
rm /var/lib/shim-signed/mok/MOK.der
update-secureboot-policy --new-key
4. Simulate module removal and test that the command returns 0:
# echo /var/lib/dkms/zzz >> /var/lib/shim-signed/dkms-list
# env DEBIAN_FRONTEND=noninteractive update-secureboot-policy --enroll-key; echo $?
Running in non-interactive mode, doing nothing.
0
5. Simulate nvidia module rname and test that the command returns 0:
# cat > /var/lib/shim-signed/dkms-list <<EOF
/var/lib/dkms
/var/lib/dkms/nvidia-1
/var/lib/dkms/r8168
EOF
# mkdir /var/lib/dkms/nvidia
# env DEBIAN_FRONTEND=noninteractive update-secureboot-policy --enroll-key; echo $?
Running in non-interactive mode, doing nothing.
0
6. Simulate addition of nvidia driver, it should still return 1:
# cat > /var/lib/shim-signed/dkms-list <<EOF
/var/lib/dkms
/var/lib/dkms/r8168
EOF
# env DEBIAN_FRONTEND=noninteractive update-secureboot-policy --enroll-key; echo $?Running in non-interactive mode, doing nothing.
--- /var/lib/shim-signed/dkms-list 2018-10-26 19:19:19.526697542 +0200
+++ /var/lib/shim-signed/dkms-list.new 2018-10-26 19:19:19.530697604 +0200
@@ -1,2 +1,3 @@
/var/lib/dkms
+/var/lib/dkms/nvidia
/var/lib/dkms/r8168
1
[Test Case (unattended-upgrades)]
1. Set up a fully - or almost fully updated Bionic system.
2. Install packagages to trigger the block:
apt install dkms shim-signed r8168-dkms
3. Fake enabled secure boot:
echo "shim-signed shim/enable_secureboot boolean true" | debconf-set-selections
4. Add and enable PPA hosting updated dkms package pulling in a new dkms-like dependency:
add-apt-repository ppa:rbalint/scratch
echo 'Unattended-Upgrade::Allowed-Origins {"LP-PPA-rbalint-scratch:${distro_codename}";}' > /etc/apt/apt.conf.d/51unattended-upgrades-all
5. Observe u-u keeping back the new package:
unattended-upgrade --verbose --dry-run --debug
...
Checking: r8168-dkms ([<Origin component:'main' archive:'bionic' origin:'LP-PPA-rbalint-scratch' label:"Scratch space, don't use" site:'ppa.launchpad.net' isTrusted:True>])
pkg new-dkms-dep may trigger secure boot key prompt
sanity check failed
...
[Regression Potential (shim-signed)]
* The fix lets installation of nvidia dkms module upgrades continue and also lets dkms module removals continue when MOK is not set and those should not cause regressions themselves. In case of an implementation mistake a new module installation could go undetected and could cause the system not load a dkms module on next boot.
In practice not loading new modules rarely cause regressions, but if a module is converted from being in the kernel to a dkms module upon an upgrade this is possible.
* I tested the module addition, removal, nvidia module upgrade and not module change cases with stubs pretending that the system is secure-boot capable an found the changed script working properly.
[Regression Potential (unattended-upgrades)]
* Since the fix is holding back packages from installation it is expected that systems that would have otherwise broke during the installation would not receive all updates. Since exact detection of the installation failure reported here does not seem possible u-u holds back more packages than it would be absolutely necessary.
* Administrators are expected to set up email notifications about the updates performed by u-u and act on held back packages.
* Since updates pulling in new packages are fairly rare especially in the -security pocket which u-u installs from by default unwanted regressions are unlikely to show up.
[Original Bug Text]
Occurred a minute after logging in
ProblemType: Package
DistroRelease: Ubuntu 16.04
Package: shim-signed 1.32~16.04.1+0.9+1474479173.6c180c6-1ubuntu1
ProcVersionSignature: Ubuntu 4.10.0-37.41~16.04.1-generic 4.10.17
Uname: Linux 4.10.0-37-generic x86_64
.proc.sys.kernel.moksbstate_disabled: 0
ApportVersion: 2.20.1-0ubuntu2.10
Architecture: amd64
Date: Tue Oct 24 11:35:53 2017
EFITables:
Oct 24 11:33:04 paddy-laptop kernel: efi: EFI v2.40 by American Megatrends
Oct 24 11:33:04 paddy-laptop kernel: efi: ACPI=0x78660000 ACPI 2.0=0x78660000 SMBIOS=0xf0000 SMBIOS 3.0=0xf0020 ESRT=0x79360598
Oct 24 11:33:04 paddy-laptop kernel: esrt: Reserving ESRT space from 0x0000000079360598 to 0x00000000793605d0.
Oct 24 11:33:04 paddy-laptop kernel: Secure boot enabled
ErrorMessage: subprocess installed post-installation script returned error exit status 1
InstallationDate: Installed on 2017-09-11 (42 days ago)
InstallationMedia: Ubuntu 16.04.3 LTS "Xenial Xerus" - Release amd64 (20170801)
RelatedPackageVersions:
dpkg 1.18.4ubuntu1.2
apt 1.2.24
SecureBoot: 6 0 0 0 1
SourcePackage: shim-signed
Title: package shim-signed 1.32~16.04.1+0.9+1474479173.6c180c6-1ubuntu1 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1
UpgradeStatus: No upgrade log present (probably fresh install) |
[Impact]
* When Secure Boot is enabled and MOK is not set and a new dkms module is installed sim-signed asks for a Secure Boot MOK, or aborts package installation in non-interactive mode. When unattended-upgrades performed the upgrade the aborted installation leaves an unconfigured system behind that may even fail to boot. In nvdidia's special case the new module is actually just a new version of the nvidia module which should be fine to install.
* The fix in shim-signed now handles nvidia dkms module directory renames as simple upgrades and also does not handle module removals as a reason to abort installation.
[Test Case (shim-signed)]
1. Set up Bionic system with Secure Boot enabled.
2. Install packagages to trigger MOK enrollment and enroll the key:
apt install dkms shim-signed r8168-dkms
3. Create a new key to be enrolled again:
rm /var/lib/shim-signed/mok/MOK.der
update-secureboot-policy --new-key
4. Simulate module removal and test that the command returns 0:
# echo /var/lib/dkms/zzz >> /var/lib/shim-signed/dkms-list
# env DEBIAN_FRONTEND=noninteractive update-secureboot-policy --enroll-key; echo $?
Running in non-interactive mode, doing nothing.
0
5. Simulate nvidia module rname and test that the command returns 0:
# cat > /var/lib/shim-signed/dkms-list <<EOF
/var/lib/dkms
/var/lib/dkms/nvidia-1
/var/lib/dkms/r8168
EOF
# mkdir /var/lib/dkms/nvidia
# env DEBIAN_FRONTEND=noninteractive update-secureboot-policy --enroll-key; echo $?
Running in non-interactive mode, doing nothing.
0
6. Simulate addition of nvidia driver, it should still return 1:
# cat > /var/lib/shim-signed/dkms-list <<EOF
/var/lib/dkms
/var/lib/dkms/r8168
EOF
# env DEBIAN_FRONTEND=noninteractive update-secureboot-policy --enroll-key; echo $?
Running in non-interactive mode, doing nothing.
--- /var/lib/shim-signed/dkms-list 2018-10-26 19:19:19.526697542 +0200
+++ /var/lib/shim-signed/dkms-list.new 2018-10-26 19:19:19.530697604 +0200
@@ -1,2 +1,3 @@
/var/lib/dkms
+/var/lib/dkms/nvidia
/var/lib/dkms/r8168
1
[Test Case (unattended-upgrades)]
1. Set up a fully - or almost fully updated Bionic system.
2. Install packagages to trigger the block:
apt install dkms shim-signed r8168-dkms
3. Fake enabled secure boot:
echo "shim-signed shim/enable_secureboot boolean true" | debconf-set-selections
4. Add and enable PPA hosting updated dkms package pulling in a new dkms-like dependency:
add-apt-repository ppa:rbalint/scratch
echo 'Unattended-Upgrade::Allowed-Origins {"LP-PPA-rbalint-scratch:${distro_codename}";}' > /etc/apt/apt.conf.d/51unattended-upgrades-all
5. Observe u-u keeping back the new package:
unattended-upgrade --verbose --dry-run --debug
...
Checking: r8168-dkms ([<Origin component:'main' archive:'bionic' origin:'LP-PPA-rbalint-scratch' label:"Scratch space, don't use" site:'ppa.launchpad.net' isTrusted:True>])
pkg new-dkms-dep may trigger secure boot key prompt
sanity check failed
...
[Regression Potential (shim-signed)]
* The fix lets installation of nvidia dkms module upgrades continue and also lets dkms module removals continue when MOK is not set and those should not cause regressions themselves. In case of an implementation mistake a new module installation could go undetected and could cause the system not load a dkms module on next boot.
In practice not loading new modules rarely cause regressions, but if a module is converted from being in the kernel to a dkms module upon an upgrade this is possible.
* I tested the module addition, removal, nvidia module upgrade and not module change cases with stubs pretending that the system is secure-boot capable an found the changed script working properly.
[Regression Potential (unattended-upgrades)]
* Since the fix is holding back packages from installation it is expected that systems that would have otherwise broke during the installation would not receive all updates. Since exact detection of the installation failure reported here does not seem possible u-u holds back more packages than it would be absolutely necessary.
* Administrators are expected to set up email notifications about the updates performed by u-u and act on held back packages.
* Since updates pulling in new packages are fairly rare especially in the -security pocket which u-u installs from by default unwanted regressions are unlikely to show up.
[Original Bug Text]
Occurred a minute after logging in
ProblemType: Package
DistroRelease: Ubuntu 16.04
Package: shim-signed 1.32~16.04.1+0.9+1474479173.6c180c6-1ubuntu1
ProcVersionSignature: Ubuntu 4.10.0-37.41~16.04.1-generic 4.10.17
Uname: Linux 4.10.0-37-generic x86_64
.proc.sys.kernel.moksbstate_disabled: 0
ApportVersion: 2.20.1-0ubuntu2.10
Architecture: amd64
Date: Tue Oct 24 11:35:53 2017
EFITables:
Oct 24 11:33:04 paddy-laptop kernel: efi: EFI v2.40 by American Megatrends
Oct 24 11:33:04 paddy-laptop kernel: efi: ACPI=0x78660000 ACPI 2.0=0x78660000 SMBIOS=0xf0000 SMBIOS 3.0=0xf0020 ESRT=0x79360598
Oct 24 11:33:04 paddy-laptop kernel: esrt: Reserving ESRT space from 0x0000000079360598 to 0x00000000793605d0.
Oct 24 11:33:04 paddy-laptop kernel: Secure boot enabled
ErrorMessage: subprocess installed post-installation script returned error exit status 1
InstallationDate: Installed on 2017-09-11 (42 days ago)
InstallationMedia: Ubuntu 16.04.3 LTS "Xenial Xerus" - Release amd64 (20170801)
RelatedPackageVersions:
dpkg 1.18.4ubuntu1.2
apt 1.2.24
SecureBoot: 6 0 0 0 1
SourcePackage: shim-signed
Title: package shim-signed 1.32~16.04.1+0.9+1474479173.6c180c6-1ubuntu1 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1
UpgradeStatus: No upgrade log present (probably fresh install) |
|
2018-11-06 16:51:59 |
Balint Reczey |
tags |
amd64 apport-package id-5ab94d1375e8d544f030e3fa verification-needed verification-needed-bionic xenial |
amd64 apport-package id-5ab94d1375e8d544f030e3fa verification-done verification-done-bionic xenial |
|
2018-11-13 16:30:06 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2018-11-13 16:40:10 |
Launchpad Janitor |
shim-signed (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|