Package: sicherboot Version: 0.1.3 Severity: important Tags: patch I installed sicherboot after its recommendation in #826045 for systemd-boot integration (instead of a tediously manually updated syslinux-efi configuration file). As I don't use secure boot, I answered 'n' to the question about enrolling keys, as hinted. This seemed to produce a bunch of warnings, but on inspection the contents of /boot/efi appeared to be correct, and rebooting worked as expected.
However now I find apt upgrade is failing and leaving things unconfigured: ---------------------------------------- Setting up linux-image-4.11.0-2-amd64 (4.11.11-1) ... /etc/kernel/postinst.d/dracut: sicherboot: Installing 4.11.0-2-amd64 to ESP objcopy: cannot open: /boot//initrd.img-4.11.0-2-amd64: No such file or directory run-parts: /etc/kernel/postinst.d/dracut exited with return code 1 ---------------------------------------- I think what's happened here is that the new kernel (with ABI bump, so a new filename) has been unpacked, then sicherboot install-kernel has been called (via /etc/kernel/postinst.d/dracut) before any call to update-initramfs -u to make initrd.img-4.11.0-2-amd64. Thus the hook exits 1 and apt/dpkg dies. I increased the bug severity to "important" because of this breakage. To try to fix things I ran update-initramfs manually, but sicherboot doesn't seem to like not having keys enrolled: ---------------------------------------- % sudo update-initramfs -u update-initramfs: Generating /boot/initrd.img-4.11.0-1-amd64 warning: data remaining[23685632 vs 23693957]: gaps between PE/COFF sections? warning: data remaining[23685632 vs 23693960]: gaps between PE/COFF sections? Can't load key from file '/etc/sicherboot/keys/db.key' 140154209566080:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:74:fopen('/etc/sicherboot/keys/db.key','r') 140154209566080:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:81: run-parts: /etc/initramfs/post-update.d//zz-sicherboot exited with return code 1 ---------------------------------------- As I had answered 'n' to the sicherboot setup question about enrolling keys, no keys were generated. This isn't handled by sign_image, which passes nonexistent files as parameters to sbsign, causing it to fail. The following patch fixes this and allows update-initramfs to complete successfully. --- /usr/sbin/sicherboot.distrib 2017-07-04 10:52:58.000000000 +0100 +++ /usr/sbin/sicherboot 2017-07-19 14:18:24.830787198 +0100 @@ -100,6 +100,11 @@ exit 1 fi + if [ ! \( -e "${KEY_HOME}/db.key" -a -e "${KEY_HOME}/db.crt" \) ]; then + echo "No db.key, skipping sign_image." + return 0 + fi + local image="$1" local out="$2" Hope this makes sense. Thank you for writing sicherboot. -- https://rjy.org.uk/