Public bug reported:
The livepatch widget will show an error[0] if patches cannot be applied.
They cannot be applied on a Secure Boot system unless the livepatch
signing key is imported. Unfortunately this requires a reboot and some
confirmation in the UEFI settings, so it can't be automated.
`canonical-livepatch help` displays some instructions to fix this:
SECUREBOOT:
If you are using secure boot, you will also need to import the livepatch
public keys into your keyring.
This can be done with the following command:
sudo mokutil --import
/snap/canonical-livepatch/current/keys/livepatch-kmod.x509
After this enter a password if necessary for MOK, then reboot.
Your BIOS will then guide you through enrolling a new key in MOK.
At this point you will be able to verify the module signatures.
This is probably something worth linking to from that error message. In
general, we might need a page explaining other reasons the kernel can't
be patched, how to get more details from the system log, etc.
c@slate:~$ canonical-livepatch status
client-version: 9.3.0
architecture: x86_64
cpu-model: Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz
last-check: 2019-06-18T10:40:35-05:00
boot-time: 2019-06-18T11:05:06-05:00
uptime: 50m59s
status:
- kernel: 4.15.0-51.55-generic
running: true
livepatch:
checkState: check-failed
patchState: apply-failed
version: "52.3"
fixes: |-
* CVE-2019-11477
* CVE-2019-11478
[0] https://drive.google.com/file/d/1cQbtCNE-
ekoPO159SJDwKrjPGpkSuucm/view?usp=sharing
** Affects: update-notifier (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1833277
Title:
LIvepatch widget should link to secure boot information on error
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-notifier/+bug/1833277/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
