[Bug 1673817] Re: update-secure-boot-policy behaving badly with unattended-upgrades

Mathieu Trudel-Lapierre mathieu.tl at gmail.com
Fri Mar 31 18:24:26 UTC 2017 

Verified shim-signed 1.27~16.04.1 on xenial:

Processing triggers for shared-mime-info (1.5-2ubuntu0.1) ...
Setting up libreoffice-core (1:5.1.6~rc2-0ubuntu1~xenial1) ...
Setting up libreoffice-base-core (1:5.1.6~rc2-0ubuntu1~xenial1) ...
Setting up libreoffice-calc (1:5.1.6~rc2-0ubuntu1~xenial1) ...
Setting up libreoffice-gtk (1:5.1.6~rc2-0ubuntu1~xenial1) ...
Setting up libreoffice-gnome (1:5.1.6~rc2-0ubuntu1~xenial1) ...
Setting up libreoffice-writer (1:5.1.6~rc2-0ubuntu1~xenial1) ...
Setting up libreoffice-draw (1:5.1.6~rc2-0ubuntu1~xenial1) ...
Setting up libreoffice-impress (1:5.1.6~rc2-0ubuntu1~xenial1) ...
Setting up libreoffice-ogltrans (1:5.1.6~rc2-0ubuntu1~xenial1) ...
Setting up libreoffice-pdfimport (1:5.1.6~rc2-0ubuntu1~xenial1) ...
Setting up python3-uno (1:5.1.6~rc2-0ubuntu1~xenial1) ...
Setting up libreoffice-math (1:5.1.6~rc2-0ubuntu1~xenial1) ...
Setting up libreoffice-avmedia-backend-gstreamer (1:5.1.6~rc2-0ubuntu1~xenial1) ...
Processing triggers for bamfdaemon (0.5.3~bzr0+16.04.20160824-0ubuntu1) ...
Rebuilding /usr/share/applications/bamf-2.index...
Processing triggers for fontconfig (2.11.94-0ubuntu1.1) ...
Processing triggers for libc-bin (2.23-0ubuntu7) ...
Processing triggers for initramfs-tools (0.122ubuntu8.8) ...
update-initramfs: Generating /boot/initrd.img-4.8.0-45-generic
Processing triggers for systemd (229-4ubuntu17) ...
Processing triggers for ureadahead (0.100.0-19) ...
Processing triggers for resolvconf (1.78ubuntu4) ...
Errors were encountered while processing:
 shim-signed
E:Sub-process /usr/bin/dpkg returned an error code (1)
Exception happened during upgrade.
Traceback (most recent call last):
  File "/usr/bin/unattended-upgrade", line 408, in cache_commit
    res = cache.commit(install_progress=iprogress)
  File "/usr/lib/python3/dist-packages/apt/cache.py", line 519, in commit
    raise SystemError("installArchives() failed")
SystemError: installArchives() failed
Installing the upgrades failed!
error message: 'installArchives() failed'
dpkg returned a error! See '/var/log/unattended-upgrades/unattended-upgrades-dpkg.log' for details
marking snap-confine for remove
Packages that are auto removed: 'snap-confine'
(Reading database ... 207712 files and directories currently installed.)
Removing snap-confine (2.23.1) ...
Setting up shim-signed (1.27~16.04.1+0.9+1474479173.6c180c6-1ubuntu1) ...
Installing for x86_64-efi platform.
Installation finished. No error reported.
Running in non-interactive mode, doing nothing.
dpkg: error processing package shim-signed (--configure):
 subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
 shim-signed
E:Sub-process /usr/bin/dpkg returned an error code (1)
Exception happened during upgrade.
Traceback (most recent call last):
  File "/usr/bin/unattended-upgrade", line 408, in cache_commit
    res = cache.commit(install_progress=iprogress)
  File "/usr/lib/python3/dist-packages/apt/cache.py", line 519, in commit
    raise SystemError("installArchives() failed")
SystemError: installArchives() failed
Auto-removing the packages failed!
Error message: 'installArchives() failed'
dpkg returned an error! See '/var/log/unattended-upgrades/unattended-upgrades-dpkg.log' for details
InstCount=0 DelCount=1 BrokenCount=0
Extracting content from '/var/log/unattended-upgrades/unattended-upgrades-dpkg.log' since '2017-03-31 14:08:17'

** Tags removed: verification-needed
** Tags added: verification-done-xenial

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to unattended-upgrades in Ubuntu.
https://bugs.launchpad.net/bugs/1673817

Title:
  update-secure-boot-policy behaving badly with unattended-upgrades

Status in shim-signed package in Ubuntu:
  Fix Released
Status in unattended-upgrades package in Ubuntu:
  Invalid
Status in shim-signed source package in Trusty:
  New
Status in unattended-upgrades source package in Trusty:
  New
Status in shim-signed source package in Xenial:
  Fix Committed
Status in unattended-upgrades source package in Xenial:
  New
Status in shim-signed source package in Yakkety:
  Fix Committed
Status in unattended-upgrades source package in Yakkety:
  New

Bug description:
  [Impact]
  Any user with unattended upgrades enabled and DKMS packages in a Secure Boot environment might be prompted to change Secure Boot policy, which will fail and crash in unattended-upgrades.

  [Test case]
  = unattended upgrade =
  1) Create /var/lib/dkms/TEST-DKMS
  2) Install new package
  3) Trigger unattended-upgrades: unattended-upgrades -d

  Upgrade should run smoothly for all the processing but fail to
  complete; shim-signed should end the unattended upgrade with a error
  as unattended change of the Secure Boot policy can not be done.
  Upgrade should not hang in high CPU usage.

  = standard upgrade =
  1) Create /var/lib/dkms/TEST-DKMS
  2) install new package.
  3) Verify that the upgrade completes normally. 

  
  [Regression Potential]
  Any failure to prompt for or change Secure Boot policy in mokutil while in an *attended* upgrade scenario would constitute a regression of this SRU.

  Any other issues related to booting in Secure Boot mode should instead
  be directed to bug 1637290 (shim update).

  ---

  Currently, unattended-upgrades will automatically install all updates
  for those running development releases of Ubuntu (LP: #1649709)

  Today, my computer was acting very sluggish. Looking at my process
  list, I saw/ usr/sbin/update-secureboot-policy was using a log of CPU.

  I killed the process. I have a /var/crash/shim-signed.0.crash but
  since it's 750 MB, I didn't bother submitting it or looking at it
  more. Maybe it crashed because I killed the process. Also, I see that
  unattended-upgrades-dpkg.log is 722 MB.

  Today's update included both VirtualBox and the linux kernel.

  I am attaching an excerpt of /var/log/unattended-upgrades/unattended-
  upgrades-dpkg.log

  This message was repeated a very large number of times (but I only
  included it once in the attachment:

  "Invalid password

  The Secure Boot key you've entered is not valid. The password used must be
  between 8 and 16 characters."

  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: shim-signed 1.23+0.9+1474479173.6c180c6-0ubuntu1
  ProcVersionSignature: Ubuntu 4.10.0-11.13-generic 4.10.1
  Uname: Linux 4.10.0-11-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
  ApportVersion: 2.20.4-0ubuntu2
  Architecture: amd64
  CurrentDesktop: GNOME
  Date: Fri Mar 17 11:15:04 2017
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2017-02-23 (21 days ago)
  InstallationMedia: Ubuntu-GNOME 17.04 "Zesty Zapus" - Alpha amd64 (20170219)
  SourcePackage: shim-signed
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1673817/+subscriptions

More information about the foundations-bugs mailing list