** Description changed:
- [Impact] (WIP)
+ [Impact]
- * An explanation of the effects of the bug on users and
+ * When Secure Boot is enabled and a new dkms module is installed sim-
+ signed asks for a new Secure Boot key, or aborts package installation in
+ non-interactive mode. When unattended-upgrades performed the upgrade the
+ aborted installation leaves an unconfigured system behind that may even
+ fail to boot.
- * justification for backporting the fix to the stable release.
-
- * In addition, it is helpful, but not required, to include an
- explanation of how the upload fixes this bug.
+ * The fix in u-u detects new dkms-related packages and holds them back
+ from installation.
[Test Case]
1. Set up a fully - or almost fully updated Bionic system.
2. Install packagages to trigger the block:
apt install dkms shim-signed r8168-dkms
3. Fake enabled secure boot:
echo "shim-signed shim/enable_secureboot boolean true" |
debconf-set-selections
4. Add and enable PPA hosting updated dkms package pulling in a new dkms-like
dependency:
add-apt-repository ppa:rbalint/scratch
echo 'Unattended-Upgrade::Allowed-Origins
{"LP-PPA-rbalint-scratch:${distro_codename}";}' >
/etc/apt/apt.conf.d/51unattended-upgrades-all
5. Observe u-u keeping back the new package:
unattended-upgrade --verbose --dry-run --debug
...
Checking: r8168-dkms ([<Origin component:'main' archive:'bionic'
origin:'LP-PPA-rbalint-scratch' label:"Scratch space, don't use"
site:'ppa.launchpad.net' isTrusted:True>])
pkg new-dkms-dep may trigger secure boot key prompt
sanity check failed
...
[Regression Potential]
- * discussion of how regressions are most likely to manifest as a result
- of this change.
+ * Since the fix is holding back packages from installation it is
+ expected that systems that would have otherwise broke during the
+ installation would not receive all updates. Since exact detection of the
+ installation failure reported here does not seem possible u-u holds back
+ more packages than it would be absolutely necessary.
- * It is assumed that any SRU candidate patch is well-tested before
- upload and has a low overall risk of regression, but it's important
- to make the effort to think about what ''could'' happen in the
- event of a regression.
+ * Administrators are expected to set up email notifications about the
+ updates performed by u-u and act on held back packages.
- * This both shows the SRU team that the risks have been considered,
- and provides guidance to testers in regression-testing the SRU.
+ * Since updates pulling in new packages are fairly rare especially in
+ the -security pocket which u-u installs from by default unwanted
+ regressions are unlikely to show up.
[Original Bug Text]
Occurred a minute after logging in
ProblemType: Package
DistroRelease: Ubuntu 16.04
Package: shim-signed 1.32~16.04.1+0.9+1474479173.6c180c6-1ubuntu1
ProcVersionSignature: Ubuntu 4.10.0-37.41~16.04.1-generic 4.10.17
Uname: Linux 4.10.0-37-generic x86_64
.proc.sys.kernel.moksbstate_disabled: 0
ApportVersion: 2.20.1-0ubuntu2.10
Architecture: amd64
Date: Tue Oct 24 11:35:53 2017
EFITables:
Oct 24 11:33:04 paddy-laptop kernel: efi: EFI v2.40 by American Megatrends
Oct 24 11:33:04 paddy-laptop kernel: efi: ACPI=0x78660000 ACPI
2.0=0x78660000 SMBIOS=0xf0000 SMBIOS 3.0=0xf0020 ESRT=0x79360598
Oct 24 11:33:04 paddy-laptop kernel: esrt: Reserving ESRT space from
0x0000000079360598 to 0x00000000793605d0.
Oct 24 11:33:04 paddy-laptop kernel: Secure boot enabled
ErrorMessage: subprocess installed post-installation script returned error
exit status 1
InstallationDate: Installed on 2017-09-11 (42 days ago)
InstallationMedia: Ubuntu 16.04.3 LTS "Xenial Xerus" - Release amd64
(20170801)
RelatedPackageVersions:
dpkg 1.18.4ubuntu1.2
apt 1.2.24
SecureBoot: 6 0 0 0 1
SourcePackage: shim-signed
Title: package shim-signed 1.32~16.04.1+0.9+1474479173.6c180c6-1ubuntu1
failed to install/upgrade: subprocess installed post-installation script
returned error exit status 1
UpgradeStatus: No upgrade log present (probably fresh install)
** Also affects: unattended-upgrades (Ubuntu)
Importance: Undecided
Status: New
** Changed in: shim-signed (Ubuntu)
Status: In Progress => Confirmed
** Changed in: shim-signed (Ubuntu)
Status: Confirmed => New
** Changed in: unattended-upgrades (Ubuntu)
Status: New => In Progress
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unattended-upgrades in
Ubuntu.
https://bugs.launchpad.net/bugs/1726803
Title:
unattended-upgrades + nvidia stack upgrade == dkms fail (package shim-
signed 1.32~16.04.1+0.9+1474479173.6c180c6-1ubuntu1 failed to
install/upgrade: subprocess installed post-installation script
returned error exit status 1)
Status in shim-signed package in Ubuntu:
New
Status in unattended-upgrades package in Ubuntu:
In Progress
Status in shim-signed source package in Bionic:
Triaged
Status in unattended-upgrades source package in Bionic:
New
Bug description:
[Impact]
* When Secure Boot is enabled and a new dkms module is installed sim-
signed asks for a new Secure Boot key, or aborts package installation
in non-interactive mode. When unattended-upgrades performed the
upgrade the aborted installation leaves an unconfigured system behind
that may even fail to boot.
* The fix in u-u detects new dkms-related packages and holds them
back from installation.
[Test Case]
1. Set up a fully - or almost fully updated Bionic system.
2. Install packagages to trigger the block:
apt install dkms shim-signed r8168-dkms
3. Fake enabled secure boot:
echo "shim-signed shim/enable_secureboot boolean true" |
debconf-set-selections
4. Add and enable PPA hosting updated dkms package pulling in a new dkms-like
dependency:
add-apt-repository ppa:rbalint/scratch
echo 'Unattended-Upgrade::Allowed-Origins
{"LP-PPA-rbalint-scratch:${distro_codename}";}' >
/etc/apt/apt.conf.d/51unattended-upgrades-all
5. Observe u-u keeping back the new package:
unattended-upgrade --verbose --dry-run --debug
...
Checking: r8168-dkms ([<Origin component:'main' archive:'bionic'
origin:'LP-PPA-rbalint-scratch' label:"Scratch space, don't use"
site:'ppa.launchpad.net' isTrusted:True>])
pkg new-dkms-dep may trigger secure boot key prompt
sanity check failed
...
[Regression Potential]
* Since the fix is holding back packages from installation it is
expected that systems that would have otherwise broke during the
installation would not receive all updates. Since exact detection of
the installation failure reported here does not seem possible u-u
holds back more packages than it would be absolutely necessary.
* Administrators are expected to set up email notifications about the
updates performed by u-u and act on held back packages.
* Since updates pulling in new packages are fairly rare especially in
the -security pocket which u-u installs from by default unwanted
regressions are unlikely to show up.
[Original Bug Text]
Occurred a minute after logging in
ProblemType: Package
DistroRelease: Ubuntu 16.04
Package: shim-signed 1.32~16.04.1+0.9+1474479173.6c180c6-1ubuntu1
ProcVersionSignature: Ubuntu 4.10.0-37.41~16.04.1-generic 4.10.17
Uname: Linux 4.10.0-37-generic x86_64
.proc.sys.kernel.moksbstate_disabled: 0
ApportVersion: 2.20.1-0ubuntu2.10
Architecture: amd64
Date: Tue Oct 24 11:35:53 2017
EFITables:
Oct 24 11:33:04 paddy-laptop kernel: efi: EFI v2.40 by American Megatrends
Oct 24 11:33:04 paddy-laptop kernel: efi: ACPI=0x78660000 ACPI
2.0=0x78660000 SMBIOS=0xf0000 SMBIOS 3.0=0xf0020 ESRT=0x79360598
Oct 24 11:33:04 paddy-laptop kernel: esrt: Reserving ESRT space from
0x0000000079360598 to 0x00000000793605d0.
Oct 24 11:33:04 paddy-laptop kernel: Secure boot enabled
ErrorMessage: subprocess installed post-installation script returned error
exit status 1
InstallationDate: Installed on 2017-09-11 (42 days ago)
InstallationMedia: Ubuntu 16.04.3 LTS "Xenial Xerus" - Release amd64
(20170801)
RelatedPackageVersions:
dpkg 1.18.4ubuntu1.2
apt 1.2.24
SecureBoot: 6 0 0 0 1
SourcePackage: shim-signed
Title: package shim-signed 1.32~16.04.1+0.9+1474479173.6c180c6-1ubuntu1
failed to install/upgrade: subprocess installed post-installation script
returned error exit status 1
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1726803/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
