[Bug 1814575] Re: Updates failing because "db is empty"
Launchpad Bug Tracker
1814575 at bugs.launchpad.net
Thu Feb 14 16:22:00 UTC 2019
This bug was fixed in the package grub2 - 2.02+dfsg1-5ubuntu8.2
---------------
grub2 (2.02+dfsg1-5ubuntu8.2) cosmic; urgency=medium
[ Mathieu Trudel-Lapierre ]
* debian/grub-check-signatures: properly account for DB showing as empty on
some broken firmwares: Guard against mokutil --export --db failing, and do
a better job at finding the DER certs for conversion to PEM format.
(LP: #1814575)
[ Steve Langasek ]
* debian/patches/quick-boot-lvm.patch: checking the return value of
'lsefi' when the command doesn't exist does not do what's expected, so
instead check the value of $grub_platform which is simpler anyway.
LP: #1814403.
-- Mathieu Trudel-Lapierre <cyphermox at ubuntu.com> Tue, 05 Feb 2019
11:05:56 -0500
** Changed in: grub2 (Ubuntu Cosmic)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1814575
Title:
Updates failing because "db is empty"
Status in grub2 package in Ubuntu:
Fix Released
Status in grub2-signed package in Ubuntu:
Fix Released
Status in grub2 source package in Bionic:
Fix Released
Status in grub2-signed source package in Bionic:
Fix Released
Status in grub2 source package in Cosmic:
Fix Released
Bug description:
[SRU Justification]
There is a behavior regression on some EFI systems with specific firmwares (right now, Lenovo, X230 and newer are known to be affected), where mokutil --export --db returns "db is empty" and can lead to no .der certificates being exported at all. Further steps in grub-check-signatures would thus error out.
[Test case]
Run at least once on a Lenovo T450 (cyphermox).
1. Install a system using UEFI mode.
2. Reboot
3. Fully upgrade system.
4. Run 'sudo /usr/share/grub-check-signatures'; verify that it fails (openssl errors and "db is empty").
5. Install grub* from -proposed.
6. Verify that the upgrade completes successfully.
[Regression potential]
The test case is sufficient to verify all possible paths work correctly after the SRU, provided it is run on both non-affected systems and affected systems.
Fix this:
On some Thinkpads (up to now, no other manufacturers appear to show
this), db can be reported to be empty even though it's not. It seems
to be a firmware issue, but it's one we can work around.
So, fix this type of failure:
Setting up grub-efi-amd64-signed (1.112+2.02+dfsg1-5ubuntu10) ...
db is empty
Can't open *.der for reading, No such file or directory
140033418155072:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:72:fopen('*.der','rb')
140033418155072:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:79:
unable to load certificate
dpkg: error processing package grub-efi-amd64-signed (--configure):
installed grub-efi-amd64-signed package post-installation script subprocess returned error exit status 1
dpkg: dependency problems prevent processing triggers for shim-signed:
shim-signed depends on grub-efi-amd64-signed | grub-efi-arm64-signed; however:
Package grub-efi-amd64-signed is not configured yet.
Package grub-efi-arm64-signed is not installed.
dpkg: error processing package shim-signed (--configure):
dependency problems - leaving triggers unprocessed
Errors were encountered while processing:
grub-efi-amd64-signed
shim-signed
E: Sub-process /usr/bin/dpkg returned an error code (1)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1814575/+subscriptions
More information about the foundations-bugs
mailing list