[Bug 1833277] Re: LIvepatch widget should link to secure boot information on error

Matthew Paul Thomas mpt at canonical.com
Thu Jul 4 10:24:51 UTC 2019


Whoops, I forgot that Livepatch was LTS-only. I guess that gives us more
time to fix it nicely.

I don’t see why we’d need to look at error text from the Livepatch CLI —
if we can detect that Secure Boot is on, we already know Livepatch isn’t
going to work, regardless of whether canonical-livepatch is running at
the moment.

Meanwhile, it occurs to me that for “a dialog if a Livepatch update
doesn’t apply”, that dialog could be the Software Updater prompt — which
is going to appear anyway, and already promotes Livepatch if it’s off
(cf. bug 1807900), and should therefore be smart enough to do something
different if Livepatch is turned on but not working. That would avoid
any increase in total interruptions.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to update-notifier in Ubuntu.
https://bugs.launchpad.net/bugs/1833277

Title:
  LIvepatch widget should link to secure boot information on error

Status in update-notifier package in Ubuntu:
  Triaged

Bug description:
  The livepatch widget will show an error[0] if patches cannot be
  applied. They cannot be applied on a Secure Boot system unless the
  livepatch signing key is imported. Unfortunately this requires a
  reboot and some confirmation in the UEFI settings, so it can't be
  automated.

  `canonical-livepatch help` displays some instructions to fix this:

  
  SECUREBOOT:
         If you are using secure boot, you will also need to import the livepatch public keys into your keyring.

         This can be done with the following command:
         sudo mokutil --import /snap/canonical-livepatch/current/keys/livepatch-kmod.x509

         After this enter a password if necessary for MOK, then reboot.
         Your BIOS will then guide you through enrolling a new key in MOK.
         At this point you will be able to verify the module signatures.

  This is probably something worth linking to from that error message.
  In general, we might need a page explaining other reasons the kernel
  can't be patched, how to get more details from the system log, etc.

  c at slate:~$ canonical-livepatch status
  client-version: 9.3.0
  architecture: x86_64
  cpu-model: Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz
  last-check: 2019-06-18T10:40:35-05:00
  boot-time: 2019-06-18T11:05:06-05:00
  uptime: 50m59s
  status:
  - kernel: 4.15.0-51.55-generic
    running: true
    livepatch:
      checkState: check-failed
      patchState: apply-failed
      version: "52.3"
      fixes: |-
        * CVE-2019-11477
        * CVE-2019-11478

  [0] https://drive.google.com/file/d/1cQbtCNE-
  ekoPO159SJDwKrjPGpkSuucm/view?usp=sharing

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-notifier/+bug/1833277/+subscriptions



More information about the foundations-bugs mailing list