shim-signed package can not be configured on Lenovo Yoga C630 WOS

Bug #1853022 reported by RussianNeuroMancer
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
grub2 (Ubuntu)
New
Undecided
Unassigned
shim (Ubuntu)
New
Undecided
Unassigned

Bug Description

Hello!

Besides issue with shim itself described in Bug 1849863 I noticed that there is also issue with shim-signed package installation script. Attempt to install shim-signed on Lenovo Yoga C630 WOS cause following errors and left shim-signed package in unconfigured state, which will cause more issues later on (for instance update-manager will always try configure shim-signed on every upgrade).

Installing for arm64-efi platform.
grub-install: warning: Cannot set EFI variable Boot0000.
grub-install: warning: efivarfs_set_variable: writing to fd 7 failed: Invalid argument.
grub-install: warning: efivarfs_set_variable: failed to unlink /sys/firmware/efi/efivars/Boot0000-8be4df61-93ca-11d2-aa0d-00e098032b8c: Invalid argument.
grub-install: warning: _efi_set_variable_mode: ops->set_variable() failed: Invalid argument.
grub-install: error: failed to register the EFI boot entry: Invalid argument.
dpkg: error processing package shim-signed (--configure):
 installed shim-signed package post-installation script subprocess returned error exit status 1
Processing triggers for man-db (2.8.7-3) ...
Errors were encountered while processing:
 shim-signed
E: Sub-process /usr/bin/dpkg returned an error code (1)
Setting up shim-signed (1.39+15+1533136590.3beb971-0ubuntu1) ...

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

It is correct, On the yoga C630 WOS normal UEFI variable writting is not supported by the hardware firmware.

At most, I have managed to use Windows 10 utilities to override the path of the windows bootloader to point at the grub efi app, and can be done to point at the shim.

Revision history for this message
RussianNeuroMancer (russianneuromancer) wrote :

Isn't these ARM laptops is only aarch64 devices that need signed shim to boot with enabled Secure Boot? Maybe it's make sense to modify shim-signed package to not fail if UEFI variable can not be modified and throw warning message instead?

I propose this because AFAIK this "UEFI variable writing" issue is not going anywhere anytime soon, and current version of the script prevent regular distribution upgrades because shim-signed package installation/upgrade will always fail.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.