This bug was fixed in the package shim-signed - 1.27~16.04.1
---------------
shim-signed (1.27~16.04.1) xenial; urgency=medium
* Backport shim 0.9+1474479173.6c180c6-1ubuntu1 to 16.04. (LP:
#1637290)
shim-signed (1.27) zesty; urgency=medium
[ Steve Langasek ]
* Update to the signed 0.9+1474479173.6c180c6-1ubuntu1 binary from
Microsoft.
* update-secureboot-policy:
- detect when we have no debconf prompting and error out instead of ending
up in an infinite loop. LP: #1673817.
- refactor to make the code easier to follow.
- remove a confusing boolean that would always re-prompt on a request to
--enable, but not on a request to --disable.
[ Mathieu Trudel-Lapierre ]
* update-secureboot-policy:
- some more fixes to properly handle non-interactive mode. (LP: #1673817)
shim-signed (1.23) zesty; urgency=medium
* debian/control: bump the Depends on grub2-common since that's needed to
install with the new updated EFI binaries filenames.
shim-signed (1.22) yakkety; urgency=medium
* Update to the signed 0.9+1474479173.6c180c6-0ubuntu1 binary from Microsoft.
(LP: #1581299)
* Update paths now that the shim binary has been renamed to include the
target architecture.
* debian/shim-signed.postinst: clean up old MokManager.efi from EFI/ubuntu;
since it's being replaced by mm$arch.efi.
-- Mathieu Trudel-Lapierre <cypher...@ubuntu.com> Thu, 23 Mar 2017
16:58:44 -0400
** Changed in: shim-signed (Ubuntu Xenial)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unattended-upgrades in
Ubuntu.
https://bugs.launchpad.net/bugs/1673817
Title:
update-secure-boot-policy behaving badly with unattended-upgrades
Status in shim-signed package in Ubuntu:
Fix Released
Status in unattended-upgrades package in Ubuntu:
Invalid
Status in shim-signed source package in Trusty:
New
Status in unattended-upgrades source package in Trusty:
New
Status in shim-signed source package in Xenial:
Fix Released
Status in unattended-upgrades source package in Xenial:
New
Status in shim-signed source package in Yakkety:
Fix Released
Status in unattended-upgrades source package in Yakkety:
New
Bug description:
[Impact]
Any user with unattended upgrades enabled and DKMS packages in a Secure Boot
environment might be prompted to change Secure Boot policy, which will fail and
crash in unattended-upgrades.
[Test case]
= unattended upgrade =
1) Create /var/lib/dkms/TEST-DKMS
2) Install new package
3) Trigger unattended-upgrades: unattended-upgrades -d
Upgrade should run smoothly for all the processing but fail to
complete; shim-signed should end the unattended upgrade with a error
as unattended change of the Secure Boot policy can not be done.
Upgrade should not hang in high CPU usage.
= standard upgrade =
1) Create /var/lib/dkms/TEST-DKMS
2) install new package.
3) Verify that the upgrade completes normally.
[Regression Potential]
Any failure to prompt for or change Secure Boot policy in mokutil while in an
*attended* upgrade scenario would constitute a regression of this SRU.
Any other issues related to booting in Secure Boot mode should instead
be directed to bug 1637290 (shim update).
---
Currently, unattended-upgrades will automatically install all updates
for those running development releases of Ubuntu (LP: #1649709)
Today, my computer was acting very sluggish. Looking at my process
list, I saw/ usr/sbin/update-secureboot-policy was using a log of CPU.
I killed the process. I have a /var/crash/shim-signed.0.crash but
since it's 750 MB, I didn't bother submitting it or looking at it
more. Maybe it crashed because I killed the process. Also, I see that
unattended-upgrades-dpkg.log is 722 MB.
Today's update included both VirtualBox and the linux kernel.
I am attaching an excerpt of /var/log/unattended-upgrades/unattended-
upgrades-dpkg.log
This message was repeated a very large number of times (but I only
included it once in the attachment:
"Invalid password
The Secure Boot key you've entered is not valid. The password used must be
between 8 and 16 characters."
ProblemType: Bug
DistroRelease: Ubuntu 17.04
Package: shim-signed 1.23+0.9+1474479173.6c180c6-0ubuntu1
ProcVersionSignature: Ubuntu 4.10.0-11.13-generic 4.10.1
Uname: Linux 4.10.0-11-generic x86_64
NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
ApportVersion: 2.20.4-0ubuntu2
Architecture: amd64
CurrentDesktop: GNOME
Date: Fri Mar 17 11:15:04 2017
EcryptfsInUse: Yes
InstallationDate: Installed on 2017-02-23 (21 days ago)
InstallationMedia: Ubuntu-GNOME 17.04 "Zesty Zapus" - Alpha amd64 (20170219)
SourcePackage: shim-signed
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1673817/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
