[Bug 1571388] Re: grub-efi-amd64: prompted to disable SecureBoot on upgrade from 2.02~beta2-36ubuntu2 to 2.02~beta2-36ubuntu3

Mathieu Trudel-Lapierre mathieu.tl at gmail.com
Mon Apr 3 16:15:33 UTC 2017 

There is still some work needed here; update-secureboot-policy may
prompt in the wrong cases. Moving to 'ubuntu-17.05', since it's not the
principal focus while scrambling to release Zesty.

Most of the required work here is going to be to properly handle
/proc/sys/kernel/moksbstate_disabled and /proc/sys/kernel/secure_boot in
update-secureboot-policy; and all of it will be done in the shim-signed
package.

** Package changed: grub2 (Ubuntu) => shim-signed (Ubuntu)

** Changed in: shim-signed (Ubuntu)
       Status: Confirmed => Triaged

** Changed in: shim-signed (Ubuntu)
    Milestone: ubuntu-17.03 => ubuntu-17.05

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1571388

Title:
  grub-efi-amd64: prompted to disable SecureBoot on upgrade from
  2.02~beta2-36ubuntu2 to 2.02~beta2-36ubuntu3

Status in shim-signed package in Ubuntu:
  Triaged

Bug description:
  Despite the fact that grub2 2.02~beta2-36ubuntu3 was a no-change
  rebuild, upon upgrading to it on my system, I received a debconf
  prompt offering to disable UEFI secure boot.

  This system has Secure Boot enabled and has no dkms modules installed.
  There should not be a prompt by grub on upgrade to disable; if this
  was going to be shown at all (which it wasn't, and shouldn't have
  been), it should have happened on the initial xenial upgrade.

  Looking at the postinst code, I see that it prompts if the dkms
  package is installed:

      # nothing to do if there is no dkms package installed.
      if ! dpkg -l dkms | grep -qc ii; then
          return
      fi

  Ok, I do have the dkms package installed, even though I don't have any
  dkms-using packages installed.  (BTW, 'grep -qc ii' should probably be
  written 'grep -q ^ii')  But then, this prompt should have shown up for
  me during the upgrade to xenial, *not* in this minor upgrade to the
  grub package.  So why did it not?

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: grub-efi-amd64 2.02~beta2-36ubuntu3
  ProcVersionSignature: Ubuntu 4.4.0-18.34-generic 4.4.6
  Uname: Linux 4.4.0-18-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Sun Apr 17 11:27:09 2016
  InstallationDate: Installed on 2010-09-24 (2032 days ago)
  InstallationMedia: Ubuntu 10.04.1 LTS "Lucid Lynx" - Release amd64 (20100816.1)
  SourcePackage: grub2
  UpgradeStatus: Upgraded to xenial on 2016-04-15 (2 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1571388/+subscriptions

More information about the foundations-bugs mailing list