Canonical Livepatch Client

Client stops applying patches with "cannot execute finitModule syscall: required key not available"

Bug #1833566 reported by Robie Basak
28
This bug affects 5 people
Affects Status Importance Assigned to Milestone
Canonical Livepatch Client
Confirmed
Undecided
Unassigned

Bug Description

With linux-image-generic 4.4.0.151.159 installed and a boot time of approximately 26 May, on 17 June canonical-livepatch failed with:

Jun 17 21:49:58 mal canonical-livepatch[3092]: Client.Check
Jun 17 21:49:58 mal canonical-livepatch[3092]: Checking with livepatch service.
Jun 17 21:49:58 mal canonical-livepatch[3092]: updating last-check
Jun 17 21:49:58 mal canonical-livepatch[3092]: touched last check
Jun 17 21:49:58 mal canonical-livepatch[3092]: Applying update 52.3 for 4.4.0-148.174-generic
Jun 17 21:49:58 mal canonical-livepatch[3092]: during refresh: cannot apply patches: cannot apply update: cannot execute finitModule syscall: required key not available

Since then, I periodically see the following in my logs:

Jun 20 13:50:07 mal canonical-livepatch[3092]: Client.Check
Jun 20 13:50:07 mal canonical-livepatch[3092]: Checking with livepatch service.
Jun 20 13:50:07 mal canonical-livepatch[3092]: updating last-check
Jun 20 13:50:07 mal canonical-livepatch[3092]: touched last check
Jun 20 13:50:07 mal canonical-livepatch[3092]: No updates available at this time.
Jun 20 13:50:07 mal canonical-livepatch[3092]: Module may have caused kernel crash! Not inserting module.
Jun 20 13:50:07 mal canonical-livepatch[3092]: To override this warning, remove /var/snap/canonical-livepatch/common/locks/livepatch_Ubuntu_4_4_0_148_174_generic_52_52.3
Jun 20 13:50:07 mal canonical-livepatch[3092]: during refresh: cannot apply patches: lock file "/var/snap/canonical-livepatch/common/locks/livepatch_Ubuntu_4_4_0_148_174_generic_52_52.3" already exists

Expected behaviour: livepatch continues to function without user intervention

Actual behaviour: livepatch seems to require some kind of user intervention here to continue operation

This isn't just me: on searching, I found the same report at https://askubuntu.com/q/1152398/7808

It seems too coincidental to me that this independent report displays logs with a very similar failure time, and therefore I speculate that it's a systemic problem caused by some specific update or change rather than a problem specific to my system.

I can hold off rebooting for a few days if you'd like help debugging.

If it's a transient error that can be fixed, I'd appreciate some instructions on what is safe to do (overriding a warning talking of kernel crashes doesn't feel safe).

Revision history for this message
Robie Basak (racb) wrote :

$ snap info canonical-livepatch
name: canonical-livepatch
summary: Canonical Livepatch Client
publisher: Canonical✓
contact: <email address hidden>
license: unset
description: |
  Canonical Livepatch Client
commands:
  - canonical-livepatch
services:
  canonical-livepatch.canonical-livepatchd: simple, enabled, active
snap-id: b96UJ4vttpNhpbaCWctVzfduQcPwQ5wn
tracking: stable
refresh-date: 45 days ago, at 15:28 BST
channels:
  stable: 9.4.1 2019-06-20 (81) 8MB -
  candidate: 9.4.1 2019-06-20 (81) 8MB -
  beta: 9.4.1 2019-06-20 (81) 8MB -
  edge: 9.4.1 2019-06-13 (81) 8MB -
installed: 9.3.0 (77) 8MB -

Revision history for this message
Robie Basak (racb) wrote :

No personal information here.

information type: Proprietary → Public
Revision history for this message
Robie Basak (racb) wrote :

Confirmed because it's independently reported elsewhere with a coincident date.

Changed in canonical-livepatch-client:
status: New → Confirmed
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

The same happened to me, and it was about secureboot. I had to import the livepatch key, like explained here: https://wiki.ubuntu.com/Kernel/Livepatch

Related bug: https://bugs.launchpad.net/ubuntu/+source/update-notifier/+bug/1833277

There, it's about the notification telling you what to do, but I think the snap utility should do the same, instead of just saying "apply-failed"

Revision history for this message
Robie Basak (racb) wrote : Re: [Bug 1833566] Re: Client stops applying patches with "cannot execute finitModule syscall: required key not available"

How long has it been the case that a key needs to be imported by hand by
the user to enable Livepatch? I'm fairly sure that I've never done this
before, and that Livepatch worked for me in the past.

If Livepatch has always needed this, it's possible that this system
didn't use Secure Boot in the past and that I inadvertently broke
Livepatch when I enabled it at some point.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.