Package: grub-efi-arm64 Version: 2.04-19 Severity: serious
I experienced the follow on multiple ARM64 systems (both a Rock64 board and a Raspberry Pi 4b board) during an unattended-upgrades run: Unattended upgrade result: All upgrades installed Packages that attempted to upgrade: shim-helpers-arm64-signed shim-signed shim-signed-common shim-unsigned Packages with upgradable origin but kept back: Debian testing: shim-signed shim-helpers-arm64-signed shim-signed-common Package installation log: Log started: 2021-07-10 06:16:45 Preparing to unpack .../shim-unsigned_15.4-6_arm64.deb ... Unpacking shim-unsigned (15.4-6) over (15.4-5) ... Setting up shim-unsigned (15.4-6) ... Log ended: 2021-07-10 06:16:50 Log started: 2021-07-10 06:16:51 Preconfiguring packages ... Preconfiguring packages ... Preparing to unpack .../shim-signed-common_1.37+15.4-6_all.deb ... Unpacking shim-signed-common (1.37+15.4-6) over (1.36+15.4-5) ... Preparing to unpack .../shim-signed_1.37+15.4-6_arm64.deb ... Unpacking shim-signed:arm64 (1.37+15.4-6) over (1.36+15.4-5) ... Setting up shim-signed-common (1.37+15.4-6) ... No DKMS packages installed: not changing Secure Boot validation state. Setting up shim-signed:arm64 (1.37+15.4-6) ... Installing for arm64-efi platform. grub-install: warning: Cannot set EFI variable Boot0000. grub-install: warning: efivarfs_set_variable: failed to create /sys/firmware/efi/efivars/Boot0000-8be4df61-93ca-11d2-aa0d-00e098032b8c for writing: Read-only file system. grub-install: warning: _efi_set_variable_mode: ops->set_variable() failed: Read-only file system. grub-install: error: failed to register the EFI boot entry: Read-only file system. dpkg: error processing package shim-signed:arm64 (--configure): installed shim-signed:arm64 package post-installation script subprocess returned error exit status 1 Errors were encountered while processing: shim-signed:arm64 E:Sub-process /usr/bin/dpkg returned an error code (1) Log ended: 2021-07-10 06:17:29 Unattended-upgrades log: Checking if system is running on battery is skipped. Please install powermgmt-base package to check power status and skip installing updates when the system is running on battery. Starting unattended upgrades script Allowed origins are: origin=Debian,codename=bullseye,label=Debian, origin=Debian,codename=bullseye,label=Debian-Security, origin=Debian,codename=bullseye-security,label=Debian-Security Initial blacklist: Initial whitelist (not strict): Packages that will be upgraded: shim-helpers-arm64-signed shim-signed shim-signed-common shim-unsigned Writing dpkg log to /var/log/unattended-upgrades/unattended-upgrades-dpkg.log Installing the upgrades failed! error message: installArchives() failed dpkg returned a error! See /var/log/unattended-upgrades/unattended-upgrades-dpkg.log for details Package shim-helpers-arm64-signed is kept back because a related package is kept back or due to local apt_preferences(5). Package shim-signed is kept back because a related package is kept back or due to local apt_preferences(5). Package shim-signed-common is kept back because a related package is kept back or due to local apt_preferences(5). Here's the relevant field in /proc/mounts: efivarfs /sys/firmware/efi/efivars efivarfs ro,nosuid,nodev,noexec,relatime 0 0 I expect that the reason /sys/firmware/efi/efivars is mounted read-only is due to bug reports such as the following: https://github.com/systemd/systemd/issues/2402 It would be preferable for grub to either a) continue the package postinstall despite efivars being read-only, or b) remount efivars read-write, update efivars, and then remount ro. grub-install is being called from shim-helpers-arm64-signed's postinst. You could argue that shim-helpers-arm64-signed could remount efivars read-write, but since I can actually trigger the same error in grub-efi-arm64's postinst, it seems like this should be fixed in grub: dilinger@wifi2:~$ sudo dpkg-reconfigure grub-efi-arm64 [sudo] password for dilinger: Installing for arm64-efi platform. grub-install: warning: Cannot set EFI variable Boot0000. grub-install: warning: efivarfs_set_variable: failed to create /sys/firmware/efi/efivars/Boot0000-8be4df61-93ca-11d2-aa0d-00e098032b8c for writing: Read-only file system. grub-install: warning: _efi_set_variable_mode: ops->set_variable() failed: Read-only file system. grub-install: error: failed to register the EFI boot entry: Read-only file system. Failed: grub-install --target=arm64-efi WARNING: Bootloader is not properly installed, system may not be bootable Generating grub configuration file ... Found linux image: /boot/vmlinuz-5.10.0-7-arm64 Found initrd image: /boot/initrd.img-5.10.0-7-arm64 done
