** Description changed:
- [Impact] (WIP)
+ [Impact]
- * An explanation of the effects of the bug on users and
+ * When Secure Boot is enabled and a new dkms module is installed sim-
+ signed asks for a new Secure Boot key, or aborts package installation in
+ non-interactive mode. When unattended-upgrades performed the upgrade the
+ aborted installation leaves an unconfigured system behind that may even
+ fail to boot.
- * justification for backporting the fix to the stable release.
-
- * In addition, it is helpful, but not required, to include an
- explanation of how the upload fixes this bug.
+ * The fix in u-u detects new dkms-related packages and holds them back
+ from installation.
[Test Case]
1. Set up a fully - or almost fully updated Bionic system.
2. Install packagages to trigger the block:
apt install dkms shim-signed r8168-dkms
3. Fake enabled secure boot:
echo "shim-signed shim/enable_secureboot boolean true" |
debconf-set-selections
4. Add and enable PPA hosting updated dkms package pulling in a new dkms-like
dependency:
add-apt-repository ppa:rbalint/scratch
echo 'Unattended-Upgrade::Allowed-Origins
{"LP-PPA-rbalint-scratch:${distro_codename}";}' >
/etc/apt/apt.conf.d/51unattended-upgrades-all
5. Observe u-u keeping back the new package:
unattended-upgrade --verbose --dry-run --debug
...
Checking: r8168-dkms ([<Origin component:'main' archive:'bionic'
origin:'LP-PPA-rbalint-scratch' label:"Scratch space, don't use"
site:'ppa.launchpad.net' isTrusted:True>])
pkg new-dkms-dep may trigger secure boot key prompt
sanity check failed
...
[Regression Potential]
- * discussion of how regressions are most likely to manifest as a result
- of this change.
+ * Since the fix is holding back packages from installation it is
+ expected that systems that would have otherwise broke during the
+ installation would not receive all updates. Since exact detection of the
+ installation failure reported here does not seem possible u-u holds back
+ more packages than it would be absolutely necessary.
- * It is assumed that any SRU candidate patch is well-tested before
- upload and has a low overall risk of regression, but it's important
- to make the effort to think about what ''could'' happen in the
- event of a regression.
+ * Administrators are expected to set up email notifications about the
+ updates performed by u-u and act on held back packages.
- * This both shows the SRU team that the risks have been considered,
- and provides guidance to testers in regression-testing the SRU.
+ * Since updates pulling in new packages are fairly rare especially in
+ the -security pocket which u-u installs from by default unwanted
+ regressions are unlikely to show up.
[Original Bug Text]
Occurred a minute after logging in
ProblemType: Package
DistroRelease: Ubuntu 16.04
Package: shim-signed 1.32~16.04.1+0.9+1474479173.6c180c6-1ubuntu1
ProcVersionSignature: Ubuntu 4.10.0-37.41~16.04.1-generic 4.10.17
Uname: Linux 4.10.0-37-generic x86_64
.proc.sys.kernel.moksbstate_disabled: 0
ApportVersion: 2.20.1-0ubuntu2.10
Architecture: amd64
Date: Tue Oct 24 11:35:53 2017
EFITables:
Oct 24 11:33:04 paddy-laptop kernel: efi: EFI v2.40 by American Megatrends
Oct 24 11:33:04 paddy-laptop kernel: efi: ACPI=0x78660000 ACPI
2.0=0x78660000 SMBIOS=0xf0000 SMBIOS 3.0=0xf0020 ESRT=0x79360598
Oct 24 11:33:04 paddy-laptop kernel: esrt: Reserving ESRT space from
0x0000000079360598 to 0x00000000793605d0.
Oct 24 11:33:04 paddy-laptop kernel: Secure boot enabled
ErrorMessage: subprocess installed post-installation script returned error
exit status 1
InstallationDate: Installed on 2017-09-11 (42 days ago)
InstallationMedia: Ubuntu 16.04.3 LTS "Xenial Xerus" - Release amd64
(20170801)
RelatedPackageVersions:
dpkg 1.18.4ubuntu1.2
apt 1.2.24
SecureBoot: 6 0 0 0 1
SourcePackage: shim-signed
Title: package shim-signed 1.32~16.04.1+0.9+1474479173.6c180c6-1ubuntu1
failed to install/upgrade: subprocess installed post-installation script
returned error exit status 1
UpgradeStatus: No upgrade log present (probably fresh install)
** Also affects: unattended-upgrades (Ubuntu)
Importance: Undecided
Status: New
** Changed in: shim-signed (Ubuntu)
Status: In Progress => Confirmed
** Changed in: shim-signed (Ubuntu)
Status: Confirmed => New
** Changed in: unattended-upgrades (Ubuntu)
Status: New => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1726803
Title:
unattended-upgrades + nvidia stack upgrade == dkms fail (package shim-
signed 1.32~16.04.1+0.9+1474479173.6c180c6-1ubuntu1 failed to
install/upgrade: subprocess installed post-installation script
returned error exit status 1)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1726803/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
