[Bug 1898729] Re: shim can end up being removed
Launchpad Bug Tracker
1898729 at bugs.launchpad.net
Tue Sep 7 08:20:35 UTC 2021
This bug was fixed in the package shim-signed - 1.37~18.04.10
---------------
shim-signed (1.37~18.04.10) bionic; urgency=medium
* Remove unnecessary efitools dependency that prevented build on arm64
shim-signed (1.37~18.04.9) bionic; urgency=medium
* New upstream release 15.4. LP: #1921134
* Synchronize packaging with 1.50, summary
- Update packaging to pull fb and mm from shim-signed package as in
later releases, dropping the runtime dependency on shim.
- Add download-signed script from linux-signed package
- Include reworked Makefile from devel to better assert the integrity of
the executables.
- Dual-signed shim
- Set XB-Important: yes on shim-signed package so that it cannot be
removed by accident (LP: #1898729)
- download-signed: Fetch signed artefacts from versioned URL instead
of current/ symlink to work around caching (LP: #1936640)
* Update to shim 15.4-0ubuntu5:
- Stop addending vendor dbx to MokListXRT during MokListX mirroring. This
is causing systems to run out of EFI storage space, or just hang up
when trying to write it (LP: #1924605) (LP: #1928434)
- Further relax the check for variable mirroring on non-secureboot systems
avoiding boot failures on out of space conditons (pull request #372)
- Don't unhook ExitBootServices() when EBS protection is disabled
(LP: #1931136) (pull request #378)
* Update to shim 15.4-0ubuntu7:
- Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
- Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
- Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
- mok: relax the maximum variable size check (LP: #1934780) (PR #369)
-- Julian Andres Klode <juliank at ubuntu.com> Mon, 19 Jul 2021 17:01:19
+0200
** Changed in: shim-signed (Ubuntu Bionic)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1898729
Title:
shim can end up being removed
Status in shim-signed package in Ubuntu:
Fix Released
Status in shim-signed source package in Bionic:
Fix Released
Status in shim-signed source package in Focal:
Fix Released
Status in shim-signed source package in Groovy:
Fix Released
Bug description:
[Impact]
System unbootable because shim-signed was marked auto and removed during upgrade.
[Test case]
Install shim-signed, mark autoremovable, and ensure that
1. autoremove does not remove it
2. removing manual triggers essential remove warning
[Regression potential]
Scripts removing shim-signed will fail and need to pass --allow-remove-essential now.
[Original bug report]
I just did a set of package updates in focal that ended up with shim shim-signed mokutil being autoremoved.
I rebooted without noticing, and had to manually recover the system
thereafter. :(
Julian says there was a period of time where these were marked auto. I
suppose that I installed during this window, and now some dependency
change meant that as far as apt was concerned they weren't required
any more.
Can we please consider never proposing these packages for autoremoval?
apt has NeverAutoRemove for this which could be used, or some other
appropriate method.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1898729/+subscriptions
More information about the foundations-bugs
mailing list