update-secure-boot-policy behaving badly with unattended-upgrades
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
shim-signed (Ubuntu) |
Fix Released
|
High
|
Mathieu Trudel-Lapierre | ||
Trusty |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
Yakkety |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
Any user with unattended upgrades enabled and DKMS packages in a Secure Boot environment might be prompted to change Secure Boot policy, which will fail and crash in unattended-
[Test case]
= unattended upgrade =
1) Create /var/lib/
2) Install new package
3) Trigger unattended-
Upgrade should run smoothly for all the processing but fail to complete; shim-signed should end the unattended upgrade with a error as unattended change of the Secure Boot policy can not be done. Upgrade should not hang in high CPU usage.
= standard upgrade =
1) Create /var/lib/
2) install new package.
3) Verify that the upgrade completes normally.
[Regression Potential]
Any failure to prompt for or change Secure Boot policy in mokutil while in an *attended* upgrade scenario would constitute a regression of this SRU.
Any other issues related to booting in Secure Boot mode should instead be directed to bug 1637290 (shim update).
---
Currently, unattended-upgrades will automatically install all updates for those running development releases of Ubuntu (LP: #1649709)
Today, my computer was acting very sluggish. Looking at my process list, I saw/ usr/sbin/
I killed the process. I have a /var/crash/
Today's update included both VirtualBox and the linux kernel.
I am attaching an excerpt of /var/log/
This message was repeated a very large number of times (but I only included it once in the attachment:
"Invalid password
The Secure Boot key you've entered is not valid. The password used must be
between 8 and 16 characters."
ProblemType: Bug
DistroRelease: Ubuntu 17.04
Package: shim-signed 1.23+0.
ProcVersionSign
Uname: Linux 4.10.0-11-generic x86_64
NonfreeKernelMo
ApportVersion: 2.20.4-0ubuntu2
Architecture: amd64
CurrentDesktop: GNOME
Date: Fri Mar 17 11:15:04 2017
EcryptfsInUse: Yes
InstallationDate: Installed on 2017-02-23 (21 days ago)
InstallationMedia: Ubuntu-GNOME 17.04 "Zesty Zapus" - Alpha amd64 (20170219)
SourcePackage: shim-signed
UpgradeStatus: No upgrade log present (probably fresh install)
Changed in unattended-upgrades (Ubuntu): | |
status: | New → Invalid |
Changed in shim-signed (Ubuntu): | |
assignee: | nobody → Mathieu Trudel-Lapierre (cyphermox) |
importance: | Undecided → High |
tags: | added: rls-z-incoming |
Changed in shim-signed (Ubuntu): | |
milestone: | none → ubuntu-17.03 |
status: | Incomplete → In Progress |
description: | updated |
no longer affects: | unattended-upgrades (Ubuntu) |
no longer affects: | unattended-upgrades (Ubuntu Trusty) |
no longer affects: | unattended-upgrades (Ubuntu Xenial) |
no longer affects: | unattended-upgrades (Ubuntu Yakkety) |
What is the content of the following files?
/proc/sys/ kernel/ secure_ boot kernel/ moksbstate_ disabled
/proc/sys/