Bug#990966: grub-efi-arm64: breaks upgrades when the efivarfs is mounted read-only

2021-07-11 Thread Steve McIntyre 
Control: severity -1 important

Hey Andres,

On Sun, Jul 11, 2021 at 04:19:19PM -0400, Andres Salomon wrote:
>Package: grub-efi-arm64
>Version: 2.04-19
>Severity: serious
>
>I experienced the follow on multiple ARM64 systems (both a Rock64
>board and a Raspberry Pi 4b board) during an unattended-upgrades run:
>
>Unattended upgrade result: All upgrades installed
>
>Packages that attempted to upgrade:
> shim-helpers-arm64-signed shim-signed shim-signed-common
> shim-unsigned

...

>Here's the relevant field in /proc/mounts:
>efivarfs /sys/firmware/efi/efivars efivarfs ro,nosuid,nodev,noexec,relatime 0 0
>
>I expect that the reason /sys/firmware/efi/efivars is mounted read-only is
>due to bug reports such as the following:
>https://github.com/systemd/systemd/issues/2402

But that was never agreed. I'm genuinely curious why you have efivarfs
mounted read-only, and I don't think it's a supported/supportable
option here.

>It would be preferable for grub to either
>a) continue the package postinstall despite efivars being read-only, or
>b) remount efivars read-write, update efivars, and then remount ro.
>
>grub-install is being called from shim-helpers-arm64-signed's
>postinst. You could argue that shim-helpers-arm64-signed could
>remount efivars read-write, but since I can actually trigger the
>same error in grub-efi-arm64's postinst, it seems like this should be
>fixed in grub:

The "issue" is definitely coming from grub-efi-$ARCH, but it's
behaving as designed here. Continuing despite failing to update the
EFI boot vars here will potentially leave you with an unbootable
system.

-- 
Steve McIntyre, Cambridge, UK.st...@einval.com
"I've only once written 'SQL is my bitch' in a comment. But that code 
 is in use on a military site..." -- Simon Booth

Processed: Re: Bug#990966: grub-efi-arm64: breaks upgrades when the efivarfs is mounted read-only

2021-07-11 Thread Debian Bug Tracking System 
Processing control commands:

> severity -1 important
Bug #990966 [grub-efi-arm64] grub-efi-arm64: breaks upgrades when the efivarfs 
is mounted read-only
Severity set to 'important' from 'serious'

-- 
990966: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990966
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#990966: grub-efi-arm64: breaks upgrades when the efivarfs is mounted read-only

2021-07-11 Thread Andres Salomon 
Package: grub-efi-arm64
Version: 2.04-19
Severity: serious


I experienced the follow on multiple ARM64 systems (both a Rock64
board and a Raspberry Pi 4b board) during an unattended-upgrades run:



Unattended upgrade result: All upgrades installed

Packages that attempted to upgrade:
 shim-helpers-arm64-signed shim-signed shim-signed-common shim-unsigned

Packages with upgradable origin but kept back:
 Debian testing:
  shim-signed shim-helpers-arm64-signed shim-signed-common

Package installation log:
Log started: 2021-07-10  06:16:45
Preparing to unpack .../shim-unsigned_15.4-6_arm64.deb ...
Unpacking shim-unsigned (15.4-6) over (15.4-5) ...
Setting up shim-unsigned (15.4-6) ...
Log ended: 2021-07-10  06:16:50

Log started: 2021-07-10  06:16:51
Preconfiguring packages ...
Preconfiguring packages ...
Preparing to unpack .../shim-signed-common_1.37+15.4-6_all.deb ...
Unpacking shim-signed-common (1.37+15.4-6) over (1.36+15.4-5) ...
Preparing to unpack .../shim-signed_1.37+15.4-6_arm64.deb ...
Unpacking shim-signed:arm64 (1.37+15.4-6) over (1.36+15.4-5) ...
Setting up shim-signed-common (1.37+15.4-6) ...
No DKMS packages installed: not changing Secure Boot validation state.
Setting up shim-signed:arm64 (1.37+15.4-6) ...
Installing for arm64-efi platform.
grub-install: warning: Cannot set EFI variable Boot.
grub-install: warning: efivarfs_set_variable: failed to create 
/sys/firmware/efi/efivars/Boot-8be4df61-93ca-11d2-aa0d-00e098032b8c for 
writing: Read-only file system.
grub-install: warning: _efi_set_variable_mode: ops->set_variable() failed: 
Read-only file system.
grub-install: error: failed to register the EFI boot entry: Read-only file 
system.
dpkg: error processing package shim-signed:arm64 (--configure):
 installed shim-signed:arm64 package post-installation script subprocess 
returned error exit status 1
Errors were encountered while processing:
 shim-signed:arm64
E:Sub-process /usr/bin/dpkg returned an error code (1)
Log ended: 2021-07-10  06:17:29

Unattended-upgrades log:
Checking if system is running on battery is skipped. Please install 
powermgmt-base package to check power status and skip installing updates when 
the system is running on battery.
Starting unattended upgrades script
Allowed origins are: origin=Debian,codename=bullseye,label=Debian, 
origin=Debian,codename=bullseye,label=Debian-Security, 
origin=Debian,codename=bullseye-security,label=Debian-Security
Initial blacklist: 
Initial whitelist (not strict): 
Packages that will be upgraded: shim-helpers-arm64-signed shim-signed 
shim-signed-common shim-unsigned
Writing dpkg log to /var/log/unattended-upgrades/unattended-upgrades-dpkg.log
Installing the upgrades failed!
error message: installArchives() failed
dpkg returned a error! See 
/var/log/unattended-upgrades/unattended-upgrades-dpkg.log for details
Package shim-helpers-arm64-signed is kept back because a related package is 
kept back or due to local apt_preferences(5).
Package shim-signed is kept back because a related package is kept back or due 
to local apt_preferences(5).
Package shim-signed-common is kept back because a related package is
kept back or due to local apt_preferences(5).


Here's the relevant field in /proc/mounts:
efivarfs /sys/firmware/efi/efivars efivarfs ro,nosuid,nodev,noexec,relatime 0 0


I expect that the reason /sys/firmware/efi/efivars is mounted read-only is
due to bug reports such as the following:
https://github.com/systemd/systemd/issues/2402

It would be preferable for grub to either
a) continue the package postinstall despite efivars being read-only, or
b) remount efivars read-write, update efivars, and then remount ro.

grub-install is being called from shim-helpers-arm64-signed's
postinst. You could argue that shim-helpers-arm64-signed could
remount efivars read-write, but since I can actually trigger the
same error in grub-efi-arm64's postinst, it seems like this should be
fixed in grub:



dilinger@wifi2:~$ sudo dpkg-reconfigure grub-efi-arm64
[sudo] password for dilinger: 
Installing for arm64-efi platform.
grub-install: warning: Cannot set EFI variable Boot.
grub-install: warning: efivarfs_set_variable: failed to create 
/sys/firmware/efi/efivars/Boot-8be4df61-93ca-11d2-aa0d-00e098032b8c for 
writing: Read-only file system.
grub-install: warning: _efi_set_variable_mode: ops->set_variable() failed: 
Read-only file system.
grub-install: error: failed to register the EFI boot entry: Read-only file 
system.
Failed: grub-install --target=arm64-efi  
WARNING: Bootloader is not properly installed, system may not be bootable
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-5.10.0-7-arm64
Found initrd image: /boot/initrd.img-5.10.0-7-arm64
done