[Bug 1929471] Re: Shim apparently fails to run fwupd64 (hirsute regression?)

Launchpad Bug Tracker 1929471 at bugs.launchpad.net
Mon Aug 16 10:30:18 UTC 2021 

This bug was fixed in the package shim-signed - 1.33.1~16.04.10

---------------
shim-signed (1.33.1~16.04.10) xenial; urgency=medium

  * Update to shim 15.4-0ubuntu7:
    - Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
    - Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
    - Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
    - mok: relax the maximum variable size check (LP: #1934780) (PR #369)

shim-signed (1.33.1~16.04.9) xenial; urgency=medium

  * Do not build a dual-signed shim (fixing regression from ~16.04.7), and
    disable verifying fbx64.efi and mmx64.efi certificates as xenial's
    sbverify is unable to (impish works fine)
  * Clean up debhelper log file accidentally imported into git during 16.04.7
    import.

shim-signed (1.33.1~16.04.8) xenial; urgency=medium

  * debian/*.postinst: Unconditionally call grub-install with
    --force-extra-removable, so that the \EFI\BOOT removable path as used in
    cloud images receives the updates.  LP: #1930742.
  * Update to shim 15.4-0ubuntu5:
    - Stop addending vendor dbx to MokListXRT during MokListX mirroring. This
      is causing systems to run out of EFI storage space, or just hang up
      when trying to write it (LP: #1924605) (LP: #1928434)
    - Further relax the check for variable mirroring on non-secureboot systems
      avoiding boot failures on out of space conditons (pull request #372)
    - Don't unhook ExitBootServices() when EBS protection is disabled
      (LP: #1931136) (pull request #378)

shim-signed (1.33.1~16.04.7) xenial; urgency=medium

  * New upstream release 15.4.  LP: #1921134
  * Update packaging to pull fb and mm from shim-signed package as in
    later releases, dropping the runtime dependency on shim.
  * Add download-signed script from linux-signed package
  * Add a versioned dependency on the mokutil that introduces --timeout, and
    call mokutil --timeout -1 so that users don't end up with broken systems
    by missing MokManager on reboot after install.  LP: #1856422.
  * Add versioned dependencies on grub-efi-amd64-signed and grub2-common,
    to ensure we have SBAT-compatible grub.efi and grub 2.04-compatible
    grub-install present when we are installing new shim to the ESP.
  * Include reworked Makefile from devel to better assert the integrity of
    the executables.

 -- Julian Andres Klode <juliank at ubuntu.com>  Fri, 16 Jul 2021 13:04:57
+0200

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim in Ubuntu.
https://bugs.launchpad.net/bugs/1929471

Title:
  Shim apparently fails to run fwupd64 (hirsute regression?)

Status in fwupd package in Ubuntu:
  Invalid
Status in shim package in Ubuntu:
  Fix Released
Status in shim-signed package in Ubuntu:
  Fix Released
Status in shim source package in Xenial:
  Fix Released
Status in shim-signed source package in Xenial:
  Fix Released
Status in shim source package in Bionic:
  Fix Committed
Status in shim-signed source package in Bionic:
  Fix Committed
Status in shim source package in Focal:
  Fix Released
Status in shim-signed source package in Focal:
  Fix Released
Status in fwupd source package in Hirsute:
  Invalid
Status in shim source package in Hirsute:
  Fix Released
Status in shim-signed source package in Hirsute:
  Fix Released

Bug description:
  [Impact]
  fwupd does not load, can't upgrade firmware

  [Test plan]
  Try reinstall a firmware upgrade, make sure fwupd loads. Make sure you use secure boot. It's OK testing this in one release, as the fix is entirely shim-side and it's binary-copied.

  [Where problems could occur]
  We might fail to boot from BIOS generated boot entries, as in bug 1937115

  [Original bug report]
  I am running hirsute on Thinkpad X1 Carbon gen 7. Fwupdmgr used to work on groovy. Now, fwupdmgr detects new firmware, successfully places the .cap file in /boot/efi/EFI/ubuntu/fw/, successfully sets efi "next boot" to 2 which is "Linux-Firmware-Updater", but on reboot, there are no signs that fwupdx64 was attempted to be executed, and system drops directly into grub.

  Same when I use BIOS boot menu. There are entries for "ubuntu" and for
  "Linux firmware updater", but selecting any of them boots grub.

  After boot, EFI "BootCurrent" points to the updater entry, though it
  apparently did not run!

  $ efibootmgr -v|head
  BootCurrent: 0002
  Timeout: 0 seconds
  BootOrder: 0001,0019,001A,001B,001C,001D,001E,001F,0020,0021,0022,0023,0024,0002
  Boot0001* ubuntu	HD(1,GPT,6ccce482-e2c2-48ca-991e-608bee5d38af,0x800,0x100000)/File(\EFI\ubuntu\shimx64.efi)
  Boot0002* Linux-Firmware-Updater	HD(1,GPT,6ccce482-e2c2-48ca-991e-608bee5d38af,0x800,0x100000)/File(\EFI\ubuntu\shimx64.efi)\.f.w.u.p.d.x.6.4...e.f.i...
  Boot0010  Setup	FvFile(721c8b66-426c-4e86-8e99-3457c46ab0b9)
  Boot0011  Boot Menu	FvFile(126a762d-5758-4fca-8531-201a7f57f850)
  Boot0012  Diagnostic Splash Screen	FvFile(a7d8d9a6-6ab0-4aeb-ad9d-163e59a7a380)
  Boot0013  Lenovo Diagnostics	FvFile(3f7e615b-0d45-4f80-88dc-26b234958560)
  Boot0014  Regulatory Information	FvFile(478c92a0-2622-42b7-a65d-5894169e4d24)

  These sympptoms match precisely a previous bug:
  https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1864223

  Could it be that the fix introduced then was lost, maybe due to
  signing schedule?

  There is a github ticket https://github.com/fwupd/firmware-lenovo-
  thinkpad/issues/123 that could be explained by this problem too.

  My versions of related packages:

  shim-signed:
    Installed: 1.47+15.4-0ubuntu2

  fwupd-signed:
    Installed: 1.38+1.5.8-0ubuntu1

  grub-efi-amd64-signed:
    Installed: 1.169+2.04-1ubuntu45

  ProblemType: Bug
  DistroRelease: Ubuntu 21.04
  Package: shim-signed 1.47+15.4-0ubuntu2
  ProcVersionSignature: Ubuntu 5.11.0-17.18-generic 5.11.12
  Uname: Linux 5.11.0-17-generic x86_64
  .proc.sys.kernel.moksbstate_disabled: Error: [Errno 2] No such file or directory: '/proc/sys/kernel/moksbstate_disabled'
  ApportVersion: 2.20.11-0ubuntu65
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: ubuntu:GNOME
  Date: Mon May 24 23:28:40 2021
  InstallationDate: Installed on 2020-01-02 (508 days ago)
  InstallationMedia: Ubuntu 19.10 "Eoan Ermine" - Alpha amd64 (20190802)
  SecureBoot: 6   0   0   0   1
  SourcePackage: shim-signed
  UpgradeStatus: Upgraded to hirsute on 2021-02-22 (91 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug/1929471/+subscriptions

More information about the foundations-bugs mailing list