On Sun, 11 Jul 2021 01:31:19 +0100 Steve McIntyre <st...@einval.com> wrote: > On Sat, Jul 10, 2021 at 01:48:53AM +0200, Diederik de Haas wrote: [...] > 1. To stop your machine failing here, do a "dpkg-reconfigure > grub-efi-arm64" and say "yes" to the removable media path question > and "no" to the "update boot variables" question. That should > solve the immediate problem for you - please shout if it doesn't! > > Fixing this in the *general* case is hard. We could add code to > fall back to *not* updating UEFI boot variables if that fails, but > that's likely going to be error-prone and cause trouble on > machines where that *should* work but it fails on a temporary > basis. Instead, I suspect we may need to replicate similar > functionality to flash-kernel and have a list of "quirky" machines > where we *don't* expect UEFI boot variables to work. That's messy > as all hell, but I'm not sure of a better option. :-/
Should this just do a quick test in the postinst to test that efivarfs is mounted r/w? Something quick like: db_get grub2/update_nvram || RET=true if [ "$RET" = false ]; then OPTIONS="$OPTIONS --no-nvram" elif [ ! -w /sys/firmware/efi/efivars/ ]; then echo "WARNING: can't write to /sys/firmware/efi/efivars/, your system may not be bootable" >&2 OPTIONS="$OPTIONS --no-nvram" fi Perhaps a more informative error message, though... Also, grub-efi-arm64's postinst runs grub-install the following way, and I feel like the shim stuff could do the same? run_grub_install() { if ! grub-install $@ ; then echo "Failed: grub-install $@" >&2 echo "WARNING: Bootloader is not properly installed, system may not be bootable" >&2 fi } > > 2. To the best of my knowledge, none of the current U-Boot releases > support Secure Boot so you may as well remove the shim-signed > package anyway. It's normally harmless to include it (so we pull > it in via recommends), but on your system it's not going to do > anything for you so you may as well remove it. Worth pointing out that it can't be removed unless one does the dpkg-reconfigure trick above! :) The following packages will be REMOVED: mokutil* shim-helpers-arm64-signed* shim-signed* shim-signed-common* shim-unsigned* 0 upgraded, 0 newly installed, 5 to remove and 0 not upgraded. 2 not fully installed or removed. After this operation, 3,674 kB disk space will be freed. Do you want to continue? [Y/n] (Reading database ... 23499 files and directories currently installed.) Removing shim-signed:arm64 (1.37+15.4-6) ... Installing for arm64-efi platform. grub-install: warning: Cannot set EFI variable Boot0000. grub-install: warning: efivarfs_set_variable: failed to create /sys/firmware/efi/efivars/Boot0000-8be4df61-93ca-11d2-aa0d-00e098032b8c for writing: Read-only file system. grub-install: warning: _efi_set_variable_mode: ops->set_variable() failed: Read-only file system. grub-install: error: failed to register the EFI boot entry: Read-only file system. dpkg: error processing package shim-signed:arm64 (--remove): installed shim-signed:arm64 package post-removal script subprocess returned error exit status 1