[Bug 1673817] Re: update-secure-boot-policy behaving badly with unattended-upgrades
Mathieu Trudel-Lapierre
mathieu.tl at gmail.com
Thu Mar 23 21:05:02 UTC 2017
** Description changed:
+ [Impact]
+ Any user with unattended upgrades enabled and DKMS packages in a Secure Boot environment might be prompted to change Secure Boot policy, which will fail and crash in unattended-upgrades.
+
+ [Test case]
+ 1) Install new package
+ 2) Create /var/lib/dkms/TEST-DKMS
+ 3) Reboot triggering unattended-upgrades:
+ <process TBD>
+
+ Upgrade should run smoothly and complete without issue (see original
+ description).
+
+ [Regression Potential]
+ Any failure to prompt for or change Secure Boot policy in mokutil (crashes of update-secureboot-policy, higher CPU usage, etc.) would constitute a regression of this SRU.
+
+ Any other issues related to booting in Secure Boot mode should instead
+ be directed to bug 1637290 (shim update).
+
+ ---
+
Currently, unattended-upgrades will automatically install all updates
for those running development releases of Ubuntu (LP: #1649709)
Today, my computer was acting very sluggish. Looking at my process list,
I saw/ usr/sbin/update-secureboot-policy was using a log of CPU.
I killed the process. I have a /var/crash/shim-signed.0.crash but since
it's 750 MB, I didn't bother submitting it or looking at it more. Maybe
it crashed because I killed the process. Also, I see that unattended-
upgrades-dpkg.log is 722 MB.
Today's update included both VirtualBox and the linux kernel.
I am attaching an excerpt of /var/log/unattended-upgrades/unattended-
upgrades-dpkg.log
This message was repeated a very large number of times (but I only
included it once in the attachment:
"Invalid password
- The Secure Boot key you've entered is not valid. The password used must be
+ The Secure Boot key you've entered is not valid. The password used must be
between 8 and 16 characters."
ProblemType: Bug
DistroRelease: Ubuntu 17.04
Package: shim-signed 1.23+0.9+1474479173.6c180c6-0ubuntu1
ProcVersionSignature: Ubuntu 4.10.0-11.13-generic 4.10.1
Uname: Linux 4.10.0-11-generic x86_64
NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
ApportVersion: 2.20.4-0ubuntu2
Architecture: amd64
CurrentDesktop: GNOME
Date: Fri Mar 17 11:15:04 2017
EcryptfsInUse: Yes
InstallationDate: Installed on 2017-02-23 (21 days ago)
InstallationMedia: Ubuntu-GNOME 17.04 "Zesty Zapus" - Alpha amd64 (20170219)
SourcePackage: shim-signed
UpgradeStatus: No upgrade log present (probably fresh install)
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to unattended-upgrades in Ubuntu.
https://bugs.launchpad.net/bugs/1673817
Title:
update-secure-boot-policy behaving badly with unattended-upgrades
Status in shim-signed package in Ubuntu:
Fix Released
Status in unattended-upgrades package in Ubuntu:
Invalid
Status in shim-signed source package in Trusty:
New
Status in unattended-upgrades source package in Trusty:
New
Status in shim-signed source package in Xenial:
New
Status in unattended-upgrades source package in Xenial:
New
Status in shim-signed source package in Yakkety:
New
Status in unattended-upgrades source package in Yakkety:
New
Bug description:
[Impact]
Any user with unattended upgrades enabled and DKMS packages in a Secure Boot environment might be prompted to change Secure Boot policy, which will fail and crash in unattended-upgrades.
[Test case]
1) Install new package
2) Create /var/lib/dkms/TEST-DKMS
3) Reboot triggering unattended-upgrades:
<process TBD>
Upgrade should run smoothly and complete without issue (see original
description).
[Regression Potential]
Any failure to prompt for or change Secure Boot policy in mokutil (crashes of update-secureboot-policy, higher CPU usage, etc.) would constitute a regression of this SRU.
Any other issues related to booting in Secure Boot mode should instead
be directed to bug 1637290 (shim update).
---
Currently, unattended-upgrades will automatically install all updates
for those running development releases of Ubuntu (LP: #1649709)
Today, my computer was acting very sluggish. Looking at my process
list, I saw/ usr/sbin/update-secureboot-policy was using a log of CPU.
I killed the process. I have a /var/crash/shim-signed.0.crash but
since it's 750 MB, I didn't bother submitting it or looking at it
more. Maybe it crashed because I killed the process. Also, I see that
unattended-upgrades-dpkg.log is 722 MB.
Today's update included both VirtualBox and the linux kernel.
I am attaching an excerpt of /var/log/unattended-upgrades/unattended-
upgrades-dpkg.log
This message was repeated a very large number of times (but I only
included it once in the attachment:
"Invalid password
The Secure Boot key you've entered is not valid. The password used must be
between 8 and 16 characters."
ProblemType: Bug
DistroRelease: Ubuntu 17.04
Package: shim-signed 1.23+0.9+1474479173.6c180c6-0ubuntu1
ProcVersionSignature: Ubuntu 4.10.0-11.13-generic 4.10.1
Uname: Linux 4.10.0-11-generic x86_64
NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
ApportVersion: 2.20.4-0ubuntu2
Architecture: amd64
CurrentDesktop: GNOME
Date: Fri Mar 17 11:15:04 2017
EcryptfsInUse: Yes
InstallationDate: Installed on 2017-02-23 (21 days ago)
InstallationMedia: Ubuntu-GNOME 17.04 "Zesty Zapus" - Alpha amd64 (20170219)
SourcePackage: shim-signed
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1673817/+subscriptions
More information about the foundations-bugs
mailing list