Ubuntu
shim-signed package

System with SecureBoot enabled do not boot after do-release-upgrade from Focal to Groovy

Focal (20.04)
Bug #1900471

Bug #1900471 reported by Matthieu Clemenceau on 2020-10-19

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	shim-signed (Ubuntu)	Invalid	High	Unassigned
	Focal	Triaged	Undecided	Julian Andres Klode

Bug Description

I just updated from Focal to Groovy using do-release-upgrade -d

Once the upgrade complete, I performed the recommended reboot.

On reboot, I was facing with the following message
Selected boot image did not Authenticate. Press ,Enter> to Continue.

Pressing Enter simply turn off the Computer.

In order to work around this and got back to a fully working desktop with Groovy
I had to disable SecureBoot in the Bios

Here is additional information

mclemenceau@MattCSpectre ~ $ efibootmgr -v
BootCurrent: 0001
Timeout: 0 seconds
BootOrder: 9999,0001,0000,0002
Boot0000* Windows Boot Manager HD(2,GPT,2a77a871-117a-41c5-8295-9b73b3e7c100,0xfa000,0x32000)/File(\EFI\Microsoft\Boot\bootmgfw.efi)WINDOWS.........x...B.C.D.O.B.J.E.C.T.=.{.9.d.e.a.8.6.2.c.-.5.c.d.d.-.4.e.7.0.-.a.c.c.1.-.f.3.2.b.3.4.4.d.4.7.9.5.}...8................
Boot0001* ubuntu HD(1,GPT,2b176ba5-80f1-4cfc-8078-a847a03ad305,0x800,0x100000)/File(\EFI\ubuntu\grubx64.efi)
Boot0002* Solid State Disk PciRoot(0x0)/Pci(0x1d,0x0)/Pci(0x0,0x0)/NVMe(0x1,00-08-0D-03-00-1F-40-FA)/HD(1,GPT,2b176ba5-80f1-4cfc-8078-a847a03ad305,0x800,0x100000)..BO
Boot9999* USB Drive (UEFI) PciRoot(0x0)/Pci(0x1d,0x0)/USB(16,0)..BO

shim-signed 1.41+15+1552672080.a4a1fbe-0ubuntu1
grub-efi-amd64-signed 1.155+2.04-1ubuntu35

ProblemType: Bug
DistroRelease: Ubuntu 20.10
Package: ubuntu-release-upgrader-core 1:20.10.12
ProcVersionSignature: Ubuntu 5.8.0-23.24-generic 5.8.14
Uname: Linux 5.8.0-23-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.11-0ubuntu50
Architecture: amd64
CasperMD5CheckResult: skip
CrashDB: ubuntu
CurrentDesktop: ubuntu:GNOME
Date: Mon Oct 19 12:51:40 2020
InstallationDate: Installed on 2020-01-05 (287 days ago)
InstallationMedia: Ubuntu 19.10 "Eoan Ermine" - Release amd64 (20191017)
PackageArchitecture: all
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: ubuntu-release-upgrader
UpgradeStatus: Upgraded to groovy on 2020-10-19 (0 days ago)
VarLogDistupgradeXorgFixuplog:
INFO:root:/usr/bin/do-release-upgrade running
INFO:root:No xorg.conf, exiting

Tags:

Revision history for this message

Matthieu Clemenceau (mclemenceau) wrote on 2020-10-19:

CurrentDmesg.txt.txt Edit (78.3 KiB, text/plain; charset="utf-8")
Dependencies.txt Edit (2.4 KiB, text/plain; charset="utf-8")
ProcCpuinfoMinimal.txt Edit (1.4 KiB, text/plain; charset="utf-8")
VarLogDistupgradeAptHistorylog.txt Edit (149.4 KiB, text/plain; charset="utf-8")
VarLogDistupgradeAptclonesystemstate.tar.gz Edit (535.9 KiB, application/x-gzip)
VarLogDistupgradeAptlog.txt Edit (124.7 KiB, text/plain; charset="utf-8")
VarLogDistupgradeApttermlog.txt Edit (358.6 KiB, text/plain; charset="utf-8")
VarLogDistupgradeLspcitxt.txt Edit (2.3 KiB, text/plain; charset="utf-8")
VarLogDistupgradeMainlog.txt Edit (100.8 KiB, text/plain; charset="utf-8")

Revision history for this message

Steve Langasek (vorlon) wrote on 2020-10-19:

https://launchpadlibrarian.net/502684878/VarLogDistupgradeApttermlog.txt shows zero references to shim-signed. This is concerning.

Revision history for this message

Steve Langasek (vorlon) wrote on 2020-10-19:

https://bugs.launchpad.net/ubuntu/+source/ubuntu-release-upgrader/+bug/1900471/+attachment/5424331/+files/VarLogDistupgradeAptlog.txt shows
MarkPurge shim:amd64 < 15+1552672080.a4a1fbe-0ubuntu2 @ii gK > FU=1

Again, no references to shim-signed.

You've said that shim-signed is now installed on your system. But it's also installed at a version which is not current in any series in the archive. You listed shim-signed 1.41+15+1552672080.a4a1fbe-0ubuntu1; the current in groovy is 1.43+15+1552672080.a4a1fbe-0ubuntu2.

Revision history for this message

Steve Langasek (vorlon) wrote on 2020-10-19:

Have confirmed looking at the apt-clone attachment that shim-signed was in state 'deinstall ok config-files' prior to the dist-upgrade. So this is not a bug in the upgrader per se; the thing to figure out is when and why shim-signed was removed prior to this.

Revision history for this message

Matthieu Clemenceau (mclemenceau) wrote on 2020-10-19:

term.log Edit (92.2 KiB, text/plain)

Adding /var/log/apt/term.log

Revision history for this message

Steve Langasek (vorlon) wrote on 2020-10-19:

So shim-signed was removed as part of an apt transaction that didn't touch any other packages. This looks like an 'autoremove' run. Can you also attach /var/log/apt/history.log?

Revision history for this message

Matthieu Clemenceau (mclemenceau) wrote on 2020-10-19:

history.log Edit (19.6 KiB, text/plain)

see attached log.

as you can see in the log shim-signed was removed during the dist upgrade.
The last call in the log was me adding it back.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2020-10-20:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ubuntu-release-upgrader (Ubuntu):
status:	New → Confirmed

Sebastien Bacher (seb128) on 2020-10-20

tags:

added: rls-gg-incoming

Revision history for this message

Lukas Märdian (slyon) wrote on 2020-10-20:

Could this be a duplicate of LP: #1898729 ?

Revision history for this message

Steve Langasek (vorlon) wrote on 2020-10-20:

#10

> Remove: shim-signed:amd64 (1.41+15+1552672080.a4a1fbe-0ubuntu1)

The issue is that a newer version of shim-signed was installed than the version published in focal-updates, but your version of shim was older than the one in focal-updates, so a dist-upgrade forced removal of shim-signed and upgrade of shim.

https://launchpad.net/ubuntu/+source/shim-signed/1.41/+publishinghistory

This version of shim-signed was published to the focal release pocket prior to GA, so some users still have it on their system.

We should NOT have published shim-signed 1.40.4 with a lower version number than the highest version than had ever been in the focal release pocket.

I believe we need to rev the shim-signed SRU in focal to 1.41.1 to correct this issue, which is a separate one from apt choosing to remove shim-signed. Without this version fix, the other fix will never *reach* users of focal who are affected by this particular bug.

affects:	ubuntu-release-upgrader (Ubuntu) → shim-signed (Ubuntu)
Changed in shim-signed (Ubuntu):
assignee:	nobody → Julian Andres Klode (juliank)
importance:	Undecided → High
status:	Confirmed → Triaged
status:	Triaged → Invalid
assignee:	Julian Andres Klode (juliank) → nobody
Changed in shim-signed (Ubuntu Focal):
status:	New → Triaged
assignee:	nobody → Julian Andres Klode (juliank)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntushim-signed package

System with SecureBoot enabled do not boot after do-release-upgrade from Focal to Groovy

Bug Description

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
shim-signed package