Ubuntu
shim-signed package

Failure to quote variable containing secureboot password (errors out with whitespace) package shim-signed 1.34.9+13-0ubuntu2 failed to install/upgrade: installed shim-signed package post-installation script subprocess returned error exit status 2

  1. Bionic (18.04)
  2. Bug #1770579
Bug #1770579 reported by Dheepan
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
shim-signed (Ubuntu)
Fix Released
High
Mathieu Trudel-Lapierre
Bionic
Fix Released
High
Mathieu Trudel-Lapierre
Cosmic
Fix Released
High
Mathieu Trudel-Lapierre

Bug Description

[Impact]
Any user of third-party (dkms) modules with Secure Boot enabled, who tries to use a space in the mok password, will experience a maintainer script failure and the package will be left unconfigured.

[Test case]
1) Delete /var/lib/shim-signed/mok/MOK.* if exists.
2) Run 'sudo update-secureboot-policy --new-key'
3) Run 'sudo update-secureboot-policy --enroll-key'
4) When prompted, enter a password containing the space character.

[Regression potential]
Issues to watch out for are any related to password handling (failure to get the password and continue out of the debconf prompts without error), failure to enroll keys, or being unable to use dkms modules after reboot and successful enrolment of the key.

--

This happens when I tried to setup boot key during 18.04 upgrade.
Exits with Error code 2

ProblemType: Package
DistroRelease: Ubuntu 18.04
Package: shim-signed 1.34.9+13-0ubuntu2
ProcVersionSignature: Ubuntu 4.15.0-20.21-generic 4.15.17
Uname: Linux 4.15.0-20-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
.proc.sys.kernel.moksbstate_disabled: Error: [Errno 2] No such file or directory: '/proc/sys/kernel/moksbstate_disabled'
ApportVersion: 2.20.9-0ubuntu7
Architecture: amd64
Date: Wed May 9 20:01:47 2018
EFITables:
 May 11 23:30:27 dheepan-tower kernel: efi: EFI v2.40 by American Megatrends
 May 11 23:30:27 dheepan-tower kernel: efi: ESRT=0xbfed1d98 ACPI=0xbe576000 ACPI 2.0=0xbe576000 SMBIOS=0xbfed0000 SMBIOS 3.0=0xbfecf000 MPS=0xfc9e0
 May 11 23:30:27 dheepan-tower kernel: secureboot: Secure boot disabled
 May 11 23:30:27 dheepan-tower kernel: esrt: Reserving ESRT space from 0x00000000bfed1d98 to 0x00000000bfed1dd0.
ErrorMessage: installed shim-signed package post-installation script subprocess returned error exit status 2
InstallationDate: Installed on 2017-11-18 (173 days ago)
InstallationMedia: Ubuntu 17.10 "Artful Aardvark" - Release amd64 (20171018)
MokSBStateRT: 6 0 0 0 1
Python3Details: /usr/bin/python3.6, Python 3.6.5, python3-minimal, 3.6.5-3
PythonDetails: /usr/bin/python2.7, Python 2.7.15rc1, python-minimal, 2.7.15~rc1-1
RelatedPackageVersions:
 dpkg 1.19.0.5ubuntu2
 apt 1.6.1
SecureBoot: 6 0 0 0 1
SourcePackage: shim-signed
Title: package shim-signed 1.34.9+13-0ubuntu2 failed to install/upgrade: installed shim-signed package post-installation script subprocess returned error exit status 2
UpgradeStatus: Upgraded to bionic on 2018-05-09 (1 days ago)

See original description

Related branches

~ubuntu-core-dev/shim/+git/shim-signed:cyphermox
Steve Langasek: Approve
Diff: 54 lines (+17/-4)
2 files modified
debian/changelog (+9/-0)
update-secureboot-policy (+8/-4)
Revision history for this message
Dheepan (idheepan) wrote :
Apport retracing service (apport)
tags: removed: need-duplicate-check
Revision history for this message
Steve Langasek (vorlon) wrote :

Line 90 of this script is:

    local key=$1

This is an error in the code; up until this point the password is quoted everywhere so that it will properly handle whitespace within the string, then at this point it is not.

Changed in shim-signed (Ubuntu):
importance: Undecided → High
status: New → Triaged
summary: - package shim-signed 1.34.9+13-0ubuntu2 failed to install/upgrade:
- installed shim-signed package post-installation script subprocess
- returned error exit status 2
+ Failure to quote variable containing secureboot password (errors out
+ with whitespace) package shim-signed 1.34.9+13-0ubuntu2 failed to
+ install/upgrade: installed shim-signed package post-installation script
+ subprocess returned error exit status 2
Changed in shim-signed (Ubuntu):
assignee: nobody → Mathieu Trudel-Lapierre (cyphermox)
Revision history for this message
Steve Langasek (vorlon) wrote :

You can work around this problem by reconfiguring and choosing a password without spaces (sudo dpkg --configure -a).

Steve Langasek (vorlon)
Changed in shim-signed (Ubuntu Bionic):
assignee: nobody → Mathieu Trudel-Lapierre (cyphermox)
importance: Undecided → High
status: New → Triaged
Francis Ginther (fginther)
tags: added: id-5af999195fa3c7cd33a518db
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.35

---------------
shim-signed (1.35) cosmic; urgency=medium

  * update-secureboot-policy: fix quoting for key/again password handling to
    mokutil. (LP: #1770579)
  * update-secureboot-policy: don't allow backtracking at the "main" question
    for whether to enroll a new MOK. (LP: #1767091)

 -- Mathieu Trudel-Lapierre <email address hidden> Thu, 31 May 2018 17:46:46 -0400

Changed in shim-signed (Ubuntu Cosmic):
status: Triaged → Fix Released
Mathieu Trudel-Lapierre (cyphermox)
description: updated
Steve Langasek (vorlon)
description: updated
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Dheepan, or anyone else affected,

Accepted shim-signed into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.34.9.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in shim-signed (Ubuntu Bionic):
status: Triaged → Fix Committed
tags: added: verification-needed verification-needed-bionic
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Verification-done on bionic with shim-signed/1.34.9.1:

update-secureboot-policy now properly accepts passwords with spaces, and passes them cleanly to mokutil.

tags: added: verification-done-bionic
removed: verification-needed verification-needed-bionic
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.34.9.1

---------------
shim-signed (1.34.9.1) bionic; urgency=medium

  * update-secureboot-policy: fix quoting for key/again password handling to
    mokutil. (LP: #1770579)
  * update-secureboot-policy: don't allow backtracking at the "main" question
    for whether to enroll a new MOK. (LP: #1767091)

 -- Mathieu Trudel-Lapierre <email address hidden> Mon, 11 Jun 2018 15:23:28 -0400

Changed in shim-signed (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for shim-signed has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Steve Langasek (vorlon) wrote :

This SRU has been rolled back due to functional regressions that have been reported when chainloading from shim 15 to shim 13 in MAAS. Investigation is ongoing.

Changed in shim-signed (Ubuntu Bionic):
status: Fix Released → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.37~18.04.2

---------------
shim-signed (1.37~18.04.2) bionic; urgency=medium

  * debian/control: add Breaks: grub-efi-amd64-signed (<< 1.93.7), as the new
    version of shim exercises a bug in relocation code for chainload that was
    fixed in that upload of grub, affecting Windows 7, Windows 10, and some
    netboot scenarios where chainloading is required. (LP: #1792575)

shim-signed (1.37~18.04.1) bionic; urgency=medium

  * Backport shim-signed 1.37 to Ubuntu 18.04. (LP: #1790724)

shim-signed (1.37) cosmic; urgency=medium

  * Update to the signed 15+1533136590.3beb971-0ubuntu1 binary from Microsoft.
  * debian/real-po: replace debian/po to make sure things are translatable
    via Launchpad.

 -- Mathieu Trudel-Lapierre <email address hidden> Fri, 28 Sep 2018 11:02:56 -0400

Changed in shim-signed (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.