[Bug 1673817] Re: update-secure-boot-policy behaving badly with unattended-upgrades
Mathieu Trudel-Lapierre
mathieu.tl at gmail.com
Fri Mar 31 16:19:16 UTC 2017
Verified shim-signed 1.27~16.10.1 on yakkety:
Processing triggers for systemd (231-9ubuntu3) ...
Processing triggers for man-db (2.7.5-1) ...
Setting up grub-efi-amd64-bin (2.02~beta2-36ubuntu11.2) ...
Setting up grub2-common (2.02~beta2-36ubuntu11.2) ...
Setting up shim-signed (1.27~16.10.1+0.9+1474479173.6c180c6-1ubuntu1) ...
Installing for x86_64-efi platform.
Installation finished. No error reported.
Running in non-interactive mode, doing nothing.
dpkg: error processing package shim-signed (--configure):
subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
shim-signed
E:Sub-process /usr/bin/dpkg returned an error code (1)
Exception happened during upgrade.
Traceback (most recent call last):
File "/usr/bin/unattended-upgrade", line 410, in cache_commit
res = cache.commit(install_progress=iprogress)
File "/usr/lib/python3/dist-packages/apt/cache.py", line 529, in commit
raise SystemError("installArchives() failed")
SystemError: installArchives() failed
Installing the upgrades failed!
error message: 'installArchives() failed'
dpkg returned a error! See '/var/log/unattended-upgrades/unattended-upgrades-dpkg.log' for details
InstCount=0 DelCount=0 BrokenCount=0
Extracting content from '/var/log/unattended-upgrades/unattended-upgrades-dpkg.log' since '2017-03-31 11:51:24'
This failure is the expected result of unattended upgrades where shim-
signed needs to apply a policy change (or prompt the user for one).
Unattended Secure Boot policy changes are not possible as a password is
required that will be entered on reboot.
** Description changed:
[Impact]
Any user with unattended upgrades enabled and DKMS packages in a Secure Boot environment might be prompted to change Secure Boot policy, which will fail and crash in unattended-upgrades.
[Test case]
- 1) Install new package
- 2) Create /var/lib/dkms/TEST-DKMS
- 3) Reboot triggering unattended-upgrades:
- <process TBD>
+ = unattended upgrade =
+ 1) Create /var/lib/dkms/TEST-DKMS
+ 2) Install new package
+ 3) Trigger unattended-upgrades: unattended-upgrades -d
- Upgrade should run smoothly and complete without issue (see original
- description).
+ Upgrade should run smoothly for all the processing but fail to complete;
+ shim-signed should end the unattended upgrade with a error as unattended
+ change of the Secure Boot policy can not be done. Upgrade should not
+ hang in high CPU usage.
+
+ = standard upgrade =
+ 1) Create /var/lib/dkms/TEST-DKMS
+ 2) install new package.
+ 3) Verify that the upgrade completes normally.
+
[Regression Potential]
- Any failure to prompt for or change Secure Boot policy in mokutil (crashes of update-secureboot-policy, higher CPU usage, etc.) would constitute a regression of this SRU.
+ Any failure to prompt for or change Secure Boot policy in mokutil while in an *attended* upgrade scenario would constitute a regression of this SRU.
Any other issues related to booting in Secure Boot mode should instead
be directed to bug 1637290 (shim update).
---
Currently, unattended-upgrades will automatically install all updates
for those running development releases of Ubuntu (LP: #1649709)
Today, my computer was acting very sluggish. Looking at my process list,
I saw/ usr/sbin/update-secureboot-policy was using a log of CPU.
I killed the process. I have a /var/crash/shim-signed.0.crash but since
it's 750 MB, I didn't bother submitting it or looking at it more. Maybe
it crashed because I killed the process. Also, I see that unattended-
upgrades-dpkg.log is 722 MB.
Today's update included both VirtualBox and the linux kernel.
I am attaching an excerpt of /var/log/unattended-upgrades/unattended-
upgrades-dpkg.log
This message was repeated a very large number of times (but I only
included it once in the attachment:
"Invalid password
The Secure Boot key you've entered is not valid. The password used must be
between 8 and 16 characters."
ProblemType: Bug
DistroRelease: Ubuntu 17.04
Package: shim-signed 1.23+0.9+1474479173.6c180c6-0ubuntu1
ProcVersionSignature: Ubuntu 4.10.0-11.13-generic 4.10.1
Uname: Linux 4.10.0-11-generic x86_64
NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
ApportVersion: 2.20.4-0ubuntu2
Architecture: amd64
CurrentDesktop: GNOME
Date: Fri Mar 17 11:15:04 2017
EcryptfsInUse: Yes
InstallationDate: Installed on 2017-02-23 (21 days ago)
InstallationMedia: Ubuntu-GNOME 17.04 "Zesty Zapus" - Alpha amd64 (20170219)
SourcePackage: shim-signed
UpgradeStatus: No upgrade log present (probably fresh install)
** Tags added: verification-done-yakkety
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to unattended-upgrades in Ubuntu.
https://bugs.launchpad.net/bugs/1673817
Title:
update-secure-boot-policy behaving badly with unattended-upgrades
Status in shim-signed package in Ubuntu:
Fix Released
Status in unattended-upgrades package in Ubuntu:
Invalid
Status in shim-signed source package in Trusty:
New
Status in unattended-upgrades source package in Trusty:
New
Status in shim-signed source package in Xenial:
Fix Committed
Status in unattended-upgrades source package in Xenial:
New
Status in shim-signed source package in Yakkety:
Fix Committed
Status in unattended-upgrades source package in Yakkety:
New
Bug description:
[Impact]
Any user with unattended upgrades enabled and DKMS packages in a Secure Boot environment might be prompted to change Secure Boot policy, which will fail and crash in unattended-upgrades.
[Test case]
= unattended upgrade =
1) Create /var/lib/dkms/TEST-DKMS
2) Install new package
3) Trigger unattended-upgrades: unattended-upgrades -d
Upgrade should run smoothly for all the processing but fail to
complete; shim-signed should end the unattended upgrade with a error
as unattended change of the Secure Boot policy can not be done.
Upgrade should not hang in high CPU usage.
= standard upgrade =
1) Create /var/lib/dkms/TEST-DKMS
2) install new package.
3) Verify that the upgrade completes normally.
[Regression Potential]
Any failure to prompt for or change Secure Boot policy in mokutil while in an *attended* upgrade scenario would constitute a regression of this SRU.
Any other issues related to booting in Secure Boot mode should instead
be directed to bug 1637290 (shim update).
---
Currently, unattended-upgrades will automatically install all updates
for those running development releases of Ubuntu (LP: #1649709)
Today, my computer was acting very sluggish. Looking at my process
list, I saw/ usr/sbin/update-secureboot-policy was using a log of CPU.
I killed the process. I have a /var/crash/shim-signed.0.crash but
since it's 750 MB, I didn't bother submitting it or looking at it
more. Maybe it crashed because I killed the process. Also, I see that
unattended-upgrades-dpkg.log is 722 MB.
Today's update included both VirtualBox and the linux kernel.
I am attaching an excerpt of /var/log/unattended-upgrades/unattended-
upgrades-dpkg.log
This message was repeated a very large number of times (but I only
included it once in the attachment:
"Invalid password
The Secure Boot key you've entered is not valid. The password used must be
between 8 and 16 characters."
ProblemType: Bug
DistroRelease: Ubuntu 17.04
Package: shim-signed 1.23+0.9+1474479173.6c180c6-0ubuntu1
ProcVersionSignature: Ubuntu 4.10.0-11.13-generic 4.10.1
Uname: Linux 4.10.0-11-generic x86_64
NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
ApportVersion: 2.20.4-0ubuntu2
Architecture: amd64
CurrentDesktop: GNOME
Date: Fri Mar 17 11:15:04 2017
EcryptfsInUse: Yes
InstallationDate: Installed on 2017-02-23 (21 days ago)
InstallationMedia: Ubuntu-GNOME 17.04 "Zesty Zapus" - Alpha amd64 (20170219)
SourcePackage: shim-signed
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1673817/+subscriptions
More information about the foundations-bugs
mailing list