[Bug 1861530] Re: update-secureboot-policy runs at startup and burns CPU

Steve Langasek steve.langasek at canonical.com
Mon Feb 3 18:30:08 UTC 2020 

Thanks for reporting this bug and helping to improve Ubuntu.

The normal point at which this command would be run is as part of the
package update process from a running session, under apt.  Do you
remember being prompted on a previous package manager run to set a
password for registering your machine-owner key in firmware?

To diagnose why this is running at startup, it would be helpful to see
the heirarchy of processes before this command (so 'pstree' or similar).
That should also give us information about the environment it's running
in, to determine why it's in a busy loop.

While disabling Secure Boot in your firmware will work around this
runtime error, it does weaken the security of your system and is not
recommended as a long-term solution.

My guess at what's happening here is that since you have dkms module
packages installed but the binaries from them have not been successfully
installed for the current kernel, dkms is trying to build these at boot,
sign them, and enroll the key in firmware; but the enrollment fails due
to lack of frontend.

** Changed in: shim-signed (Ubuntu)
       Status: New => Incomplete

** Also affects: dkms (Ubuntu)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1861530

Title:
  update-secureboot-policy runs at startup and burns CPU

Status in dkms package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Incomplete

Bug description:
  I am running Ubuntu 18.04 on a lenovo Thinkpad T490s. I enabled full
  disk encryption when I installed Ubuntu. I found that the computer ran
  hot and that a process was always running and using 50% of the
  available CPU, presumably taking one core. That process was

  `/usr/bin/perl -w /usr/share/debconf/frontend /usr/sbin/update-
  secureboot-policy --enroll-key`

  This process appears to be the same as the one described in this stack
  exchange post

  https://superuser.com/questions/1493050/update-secureboot-policy-
  enroll-key-running-on-every-new-startup-eating-reso

  I found that, as suggested by user931000 I could disable Secure Boot
  in UEFI settings to fix the behavior. I am not sure if this poses any
  security risk however, and find that secure boot has a way of turning
  itself on, at least with updates that I installed today on 31 January
  2020. I think this is a bug and that CPU hogging processes should not
  run every time out of the box.

  This issue might be related to this other issue, for which a fix is apparently released, but which doesn't appear to be helping in my case.
  https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1673817


  1) Ubuntu 18.04.4 LTS
  2) Don't know the relevant package
  3) I expect that Ubuntu should start up and run without a process burning all of the CPU, even if I enable disk encryption, and even if secureboot is enabled.
  4) I have to choose between having a CPU hogging process turn on every time, turning off Secure Boot (while continuing to turn it off when updates re-turn off secure boot) and not encrypting my hard drive.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dkms/+bug/1861530/+subscriptions

More information about the foundations-bugs mailing list