Control: reassign -1 grub-efi-arm64 (ish)
Hi Diederik, On Sat, Jul 10, 2021 at 01:48:53AM +0200, Diederik de Haas wrote: >Package: shim-helpers-arm64-signed >Version: 1+15.4+6 >Severity: important > >Running 'aptitude safe-upgrade' on my Bullseye/Sid/Experimental system >fails: > >Unpacking shim-unsigned (15.4-6) over (15.4-5) ... >Preparing to unpack .../3-shim-helpers-arm64-signed_1+15.4+6_arm64.deb ... >Unpacking shim-helpers-arm64-signed (1+15.4+6) over (1+15.4+5) ... >Preparing to unpack .../4-shim-signed-common_1.37+15.4-6_all.deb ... >Unpacking shim-signed-common (1.37+15.4-6) over (1.36+15.4-5) ... >Preparing to unpack .../5-shim-signed_1.37+15.4-6_arm64.deb ... >Unpacking shim-signed:arm64 (1.37+15.4-6) over (1.36+15.4-5) ... >Setting up libuv1:arm64 (1.40.0-2) ... >Setting up shim-signed-common (1.37+15.4-6) ... >No DKMS packages installed: not changing Secure Boot validation state. >Setting up udev (249-1) ... >Setting up python3-urllib3 (1.26.5-1~exp1) ... >Setting up shim-unsigned (15.4-6) ... >Setting up shim-helpers-arm64-signed (1+15.4+6) ... >Installing for arm64-efi platform. >grub-install: warning: Cannot set EFI variable Boot0000. >grub-install: warning: efivarfs_set_variable: failed to open >/sys/firmware/efi/efivars/Boot0000-8be4df61-93ca-11d2-aa0d-00e098032b8c for >writing: Read-only file system. >grub-install: warning: _efi_set_variable_mode: ops->set_variable() failed: >Read-only file system. >grub-install: error: failed to register the EFI boot entry: Read-only file >system. >dpkg: error processing package shim-helpers-arm64-signed (--configure): > installed shim-helpers-arm64-signed package post-installation script > subprocess returned error exit status 1 >dpkg: dependency problems prevent configuration of shim-signed:arm64: > shim-signed:arm64 depends on shim-helpers-arm64-signed (>= 1+15.4+2); however: > Package shim-helpers-arm64-signed is not configured yet. Right, The maintainer scripts for the shim-signed packages now explicitly calls grub-install to make sure that shim is added/removed from the boot chain as appropriate. The errors you're seeing are from grub-install, and that's where the problem is showing up. AFAICS grub-install is failing to update due to the *real* underlying problem, which is that your platform is running firmware which implements UEFI but that UEFI support isn't working for writing UEFI boot variables. You're using U-Boot, I assume? So, here's a few thoughts: 1. To stop your machine failing here, do a "dpkg-reconfigure grub-efi-arm64" and say "yes" to the removable media path question and "no" to the "update boot variables" question. That should solve the immediate problem for you - please shout if it doesn't! Fixing this in the *general* case is hard. We could add code to fall back to *not* updating UEFI boot variables if that fails, but that's likely going to be error-prone and cause trouble on machines where that *should* work but it fails on a temporary basis. Instead, I suspect we may need to replicate similar functionality to flash-kernel and have a list of "quirky" machines where we *don't* expect UEFI boot variables to work. That's messy as all hell, but I'm not sure of a better option. :-/ 2. To the best of my knowledge, none of the current U-Boot releases support Secure Boot so you may as well remove the shim-signed package anyway. It's normally harmless to include it (so we pull it in via recommends), but on your system it's not going to do anything for you so you may as well remove it. OK? -- Steve McIntyre, Cambridge, UK. st...@einval.com "... the premise [is] that privacy is about hiding a wrong. It's not. Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect." -- Bruce Schneier