[Touch-packages] [Bug 1673817] Re: update-secure-boot-policy behaving badly with unattended-upgrades

[Mathew Hodson]

** No longer affects: unattended-upgrades (Ubuntu)

** No longer affects: unattended-upgrades (Ubuntu Trusty)

** No longer affects: unattended-upgrades (Ubuntu Xenial)

** No longer affects: unattended-upgrades (Ubuntu Yakkety)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unattended-upgrades in
Ubuntu.
https://bugs.launchpad.net/bugs/1673817

Title:
  update-secure-boot-policy behaving badly with unattended-upgrades

Status in shim-signed package in Ubuntu:
  Fix Released
Status in shim-signed source package in Trusty:
  Fix Released
Status in shim-signed source package in Xenial:
  Fix Released
Status in shim-signed source package in Yakkety:
  Fix Released

Bug description:
  [Impact]
  Any user with unattended upgrades enabled and DKMS packages in a Secure Boot 
environment might be prompted to change Secure Boot policy, which will fail and 
crash in unattended-upgrades.

  [Test case]
  = unattended upgrade =
  1) Create /var/lib/dkms/TEST-DKMS
  2) Install new package
  3) Trigger unattended-upgrades: unattended-upgrades -d

  Upgrade should run smoothly for all the processing but fail to
  complete; shim-signed should end the unattended upgrade with a error
  as unattended change of the Secure Boot policy can not be done.
  Upgrade should not hang in high CPU usage.

  = standard upgrade =
  1) Create /var/lib/dkms/TEST-DKMS
  2) install new package.
  3) Verify that the upgrade completes normally. 

  
  [Regression Potential]
  Any failure to prompt for or change Secure Boot policy in mokutil while in an 
*attended* upgrade scenario would constitute a regression of this SRU.

  Any other issues related to booting in Secure Boot mode should instead
  be directed to bug 1637290 (shim update).

  ---

  Currently, unattended-upgrades will automatically install all updates
  for those running development releases of Ubuntu (LP: #1649709)

  Today, my computer was acting very sluggish. Looking at my process
  list, I saw/ usr/sbin/update-secureboot-policy was using a log of CPU.

  I killed the process. I have a /var/crash/shim-signed.0.crash but
  since it's 750 MB, I didn't bother submitting it or looking at it
  more. Maybe it crashed because I killed the process. Also, I see that
  unattended-upgrades-dpkg.log is 722 MB.

  Today's update included both VirtualBox and the linux kernel.

  I am attaching an excerpt of /var/log/unattended-upgrades/unattended-
  upgrades-dpkg.log

  This message was repeated a very large number of times (but I only
  included it once in the attachment:

  "Invalid password

  The Secure Boot key you've entered is not valid. The password used must be
  between 8 and 16 characters."

  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: shim-signed 1.23+0.9+1474479173.6c180c6-0ubuntu1
  ProcVersionSignature: Ubuntu 4.10.0-11.13-generic 4.10.1
  Uname: Linux 4.10.0-11-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
  ApportVersion: 2.20.4-0ubuntu2
  Architecture: amd64
  CurrentDesktop: GNOME
  Date: Fri Mar 17 11:15:04 2017
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2017-02-23 (21 days ago)
  InstallationMedia: Ubuntu-GNOME 17.04 "Zesty Zapus" - Alpha amd64 (20170219)
  SourcePackage: shim-signed
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1673817/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1673817] Re: update-secure-boot-policy behaving badly with unattended-upgrades

[Launchpad Bug Tracker]

This bug was fixed in the package shim-signed - 1.32~14.04.2

---
shim-signed (1.32~14.04.2) trusty; urgency=medium

  * Backport shim-signed 1.32 to 14.04. (LP: #1700170)

shim-signed (1.32) artful; urgency=medium

  * Handle cleanup of /var/lib/shim-signed on package purge.

shim-signed (1.31) artful; urgency=medium

  * Fix regression in postinst when /var/lib/dkms does not exist.
(LP #1700195)
  * Sort the list of dkms modules when recording.

shim-signed (1.30) artful; urgency=medium

  * update-secureboot-policy: track the installed DKMS modules so we can skip
failing unattended upgrades if they hasn't changed (ie. if no new DKMS
modules have been installed, just honour the user's previous decision to
not disable shim validation). (LP: #1695578)
  * update-secureboot-policy: allow re-enabling shim validation when no DKMS
packages are installed. (LP: #1673904)
  * debian/source_shim-signed.py: add the textual representation of SecureBoot
and MokSBStateRT EFI variables rather than just adding the files directly;
also, make sure we include the relevant EFI bits from kernel log.
(LP: #1680279)

shim-signed (1.29) artful; urgency=medium

  * Makefile: Generate BOOT$arch.CSV, for use with fallback.
  * debian/rules: make sure we can do per-arch EFI files.

shim-signed (1.28) zesty; urgency=medium

  * Adjust apport hook to include key files that tell us about the system's
current SB state.  LP: #1680279.

shim-signed (1.27) zesty; urgency=medium

  [ Steve Langasek ]
  * Update to the signed 0.9+1474479173.6c180c6-1ubuntu1 binary from
Microsoft.
  * update-secureboot-policy:
- detect when we have no debconf prompting and error out instead of ending
  up in an infinite loop.  LP: #1673817.
- refactor to make the code easier to follow.
- remove a confusing boolean that would always re-prompt on a request to
  --enable, but not on a request to --disable.

  [ Mathieu Trudel-Lapierre ]
  * update-secureboot-policy:
- some more fixes to properly handle non-interactive mode. (LP: #1673817)

shim-signed (1.23) zesty; urgency=medium

  * debian/control: bump the Depends on grub2-common since that's needed to
install with the new updated EFI binaries filenames.

shim-signed (1.22) yakkety; urgency=medium

  * Update to the signed 0.9+1474479173.6c180c6-0ubuntu1 binary from Microsoft.
  * Update paths now that the shim binary has been renamed to include the
target architecture.
  * debian/shim-signed.postinst: clean up old MokManager.efi from EFI/ubuntu;
since it's being replaced by mm$arch.efi.

shim-signed (1.21.3) vivid; urgency=medium

  * No-change rebuild for shim 0.9+1465500757.14a5905.is.0.8-0ubuntu3.

shim-signed (1.21.2) vivid; urgency=medium

  * Revert to signed shim from 0.8-0ubuntu2.
- shim.efi.signed originally built from shim 0.8-0ubuntu2 in wily.

shim-signed (1.20) yakkety; urgency=medium

  * Update to the signed 0.9+1465500757.14a5905-0ubuntu1 binary from Microsoft.
(LP: #1581299)

 -- Mathieu Trudel-Lapierre   Mon, 10 Jul 2017
20:29:28 -0400

** Changed in: shim-signed (Ubuntu Trusty)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unattended-upgrades in
Ubuntu.
https://bugs.launchpad.net/bugs/1673817

Title:
  update-secure-boot-policy behaving badly with unattended-upgrades

Status in shim-signed package in Ubuntu:
  Fix Released
Status in unattended-upgrades package in Ubuntu:
  Invalid
Status in shim-signed source package in Trusty:
  Fix Released
Status in unattended-upgrades source package in Trusty:
  Invalid
Status in shim-signed source package in Xenial:
  Fix Released
Status in unattended-upgrades source package in Xenial:
  Invalid
Status in shim-signed source package in Yakkety:
  Fix Released
Status in unattended-upgrades source package in Yakkety:
  Invalid

Bug description:
  [Impact]
  Any user with unattended upgrades enabled and DKMS packages in a Secure Boot 
environment might be prompted to change Secure Boot policy, which will fail and 
crash in unattended-upgrades.

  [Test case]
  = unattended upgrade =
  1) Create /var/lib/dkms/TEST-DKMS
  2) Install new package
  3) Trigger unattended-upgrades: unattended-upgrades -d

  Upgrade should run smoothly for all the processing but fail to
  complete; shim-signed should end the unattended upgrade with a error
  as unattended change of the Secure Boot policy can not be done.
  Upgrade should not hang in high CPU usage.

  = standard upgrade =
  1) Create /var/lib/dkms/TEST-DKMS
  2) install new package.
  3) Verify that the upgrade completes normally. 

  
  [Regression Potential]
  Any failure to prompt for or change Secure Boot policy in mokutil while in an 
*attended* upgrade scenario would constitute a regression of this SRU.

  Any other issues related to booting in Secure Boot mode should 

[Touch-packages] [Bug 1673817] Re: update-secure-boot-policy behaving badly with unattended-upgrades

[Mathieu Trudel-Lapierre]

Verification done for trusty: I've used shim-signed 1.32~14.04.2;
interactive and non-interactive, unattended upgrades are behaving as
expected and correctly stop if a new DKMS package is being installed, or
continue if existing DKMS packages are being upgraded (not unnecessarily
breaking upgrade if the upgrade does not inject a new DKMS package).

** Tags removed: verification-needed verification-needed-trusty
** Tags added: verification-done-trusty

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unattended-upgrades in
Ubuntu.
https://bugs.launchpad.net/bugs/1673817

Title:
  update-secure-boot-policy behaving badly with unattended-upgrades

Status in shim-signed package in Ubuntu:
  Fix Released
Status in unattended-upgrades package in Ubuntu:
  Invalid
Status in shim-signed source package in Trusty:
  Fix Committed
Status in unattended-upgrades source package in Trusty:
  Invalid
Status in shim-signed source package in Xenial:
  Fix Released
Status in unattended-upgrades source package in Xenial:
  Invalid
Status in shim-signed source package in Yakkety:
  Fix Released
Status in unattended-upgrades source package in Yakkety:
  Invalid

Bug description:
  [Impact]
  Any user with unattended upgrades enabled and DKMS packages in a Secure Boot 
environment might be prompted to change Secure Boot policy, which will fail and 
crash in unattended-upgrades.

  [Test case]
  = unattended upgrade =
  1) Create /var/lib/dkms/TEST-DKMS
  2) Install new package
  3) Trigger unattended-upgrades: unattended-upgrades -d

  Upgrade should run smoothly for all the processing but fail to
  complete; shim-signed should end the unattended upgrade with a error
  as unattended change of the Secure Boot policy can not be done.
  Upgrade should not hang in high CPU usage.

  = standard upgrade =
  1) Create /var/lib/dkms/TEST-DKMS
  2) install new package.
  3) Verify that the upgrade completes normally. 

  
  [Regression Potential]
  Any failure to prompt for or change Secure Boot policy in mokutil while in an 
*attended* upgrade scenario would constitute a regression of this SRU.

  Any other issues related to booting in Secure Boot mode should instead
  be directed to bug 1637290 (shim update).

  ---

  Currently, unattended-upgrades will automatically install all updates
  for those running development releases of Ubuntu (LP: #1649709)

  Today, my computer was acting very sluggish. Looking at my process
  list, I saw/ usr/sbin/update-secureboot-policy was using a log of CPU.

  I killed the process. I have a /var/crash/shim-signed.0.crash but
  since it's 750 MB, I didn't bother submitting it or looking at it
  more. Maybe it crashed because I killed the process. Also, I see that
  unattended-upgrades-dpkg.log is 722 MB.

  Today's update included both VirtualBox and the linux kernel.

  I am attaching an excerpt of /var/log/unattended-upgrades/unattended-
  upgrades-dpkg.log

  This message was repeated a very large number of times (but I only
  included it once in the attachment:

  "Invalid password

  The Secure Boot key you've entered is not valid. The password used must be
  between 8 and 16 characters."

  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: shim-signed 1.23+0.9+1474479173.6c180c6-0ubuntu1
  ProcVersionSignature: Ubuntu 4.10.0-11.13-generic 4.10.1
  Uname: Linux 4.10.0-11-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
  ApportVersion: 2.20.4-0ubuntu2
  Architecture: amd64
  CurrentDesktop: GNOME
  Date: Fri Mar 17 11:15:04 2017
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2017-02-23 (21 days ago)
  InstallationMedia: Ubuntu-GNOME 17.04 "Zesty Zapus" - Alpha amd64 (20170219)
  SourcePackage: shim-signed
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1673817/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1673817] Re: update-secure-boot-policy behaving badly with unattended-upgrades

[Steve Langasek]

Hello Jeremy, or anyone else affected,

Accepted shim-signed into trusty-proposed. The package will build now
and be available at https://launchpad.net/ubuntu/+source/shim-
signed/1.32~14.04.1 in a few hours, and then in the -proposed
repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested and change the tag from
verification-needed-trusty to verification-done-trusty. If it does not
fix the bug for you, please add a comment stating that, and change the
tag to verification-failed-trusty. In either case, details of your
testing will help us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: shim-signed (Ubuntu Trusty)
   Status: New => Fix Committed

** Tags added: verification-needed verification-needed-trusty

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unattended-upgrades in
Ubuntu.
https://bugs.launchpad.net/bugs/1673817

Title:
  update-secure-boot-policy behaving badly with unattended-upgrades

Status in shim-signed package in Ubuntu:
  Fix Released
Status in unattended-upgrades package in Ubuntu:
  Invalid
Status in shim-signed source package in Trusty:
  Fix Committed
Status in unattended-upgrades source package in Trusty:
  Invalid
Status in shim-signed source package in Xenial:
  Fix Released
Status in unattended-upgrades source package in Xenial:
  Invalid
Status in shim-signed source package in Yakkety:
  Fix Released
Status in unattended-upgrades source package in Yakkety:
  Invalid

Bug description:
  [Impact]
  Any user with unattended upgrades enabled and DKMS packages in a Secure Boot 
environment might be prompted to change Secure Boot policy, which will fail and 
crash in unattended-upgrades.

  [Test case]
  = unattended upgrade =
  1) Create /var/lib/dkms/TEST-DKMS
  2) Install new package
  3) Trigger unattended-upgrades: unattended-upgrades -d

  Upgrade should run smoothly for all the processing but fail to
  complete; shim-signed should end the unattended upgrade with a error
  as unattended change of the Secure Boot policy can not be done.
  Upgrade should not hang in high CPU usage.

  = standard upgrade =
  1) Create /var/lib/dkms/TEST-DKMS
  2) install new package.
  3) Verify that the upgrade completes normally. 

  
  [Regression Potential]
  Any failure to prompt for or change Secure Boot policy in mokutil while in an 
*attended* upgrade scenario would constitute a regression of this SRU.

  Any other issues related to booting in Secure Boot mode should instead
  be directed to bug 1637290 (shim update).

  ---

  Currently, unattended-upgrades will automatically install all updates
  for those running development releases of Ubuntu (LP: #1649709)

  Today, my computer was acting very sluggish. Looking at my process
  list, I saw/ usr/sbin/update-secureboot-policy was using a log of CPU.

  I killed the process. I have a /var/crash/shim-signed.0.crash but
  since it's 750 MB, I didn't bother submitting it or looking at it
  more. Maybe it crashed because I killed the process. Also, I see that
  unattended-upgrades-dpkg.log is 722 MB.

  Today's update included both VirtualBox and the linux kernel.

  I am attaching an excerpt of /var/log/unattended-upgrades/unattended-
  upgrades-dpkg.log

  This message was repeated a very large number of times (but I only
  included it once in the attachment:

  "Invalid password

  The Secure Boot key you've entered is not valid. The password used must be
  between 8 and 16 characters."

  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: shim-signed 1.23+0.9+1474479173.6c180c6-0ubuntu1
  ProcVersionSignature: Ubuntu 4.10.0-11.13-generic 4.10.1
  Uname: Linux 4.10.0-11-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
  ApportVersion: 2.20.4-0ubuntu2
  Architecture: amd64
  CurrentDesktop: GNOME
  Date: Fri Mar 17 11:15:04 2017
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2017-02-23 (21 days ago)
  InstallationMedia: Ubuntu-GNOME 17.04 "Zesty Zapus" - Alpha amd64 (20170219)
  SourcePackage: shim-signed
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1673817/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1673817] Re: update-secure-boot-policy behaving badly with unattended-upgrades

[Steve Langasek]

An upload of shim-signed to trusty-proposed has been rejected from the
upload queue for the following reason: "needs adjusted versioned dep on
grub2-common; drop ref to LP: #1624096 from changelog".

** Changed in: unattended-upgrades (Ubuntu Trusty)
   Status: New => Invalid

** Changed in: unattended-upgrades (Ubuntu Xenial)
   Status: New => Invalid

** Changed in: unattended-upgrades (Ubuntu Yakkety)
   Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unattended-upgrades in
Ubuntu.
https://bugs.launchpad.net/bugs/1673817

Title:
  update-secure-boot-policy behaving badly with unattended-upgrades

Status in shim-signed package in Ubuntu:
  Fix Released
Status in unattended-upgrades package in Ubuntu:
  Invalid
Status in shim-signed source package in Trusty:
  New
Status in unattended-upgrades source package in Trusty:
  Invalid
Status in shim-signed source package in Xenial:
  Fix Released
Status in unattended-upgrades source package in Xenial:
  Invalid
Status in shim-signed source package in Yakkety:
  Fix Released
Status in unattended-upgrades source package in Yakkety:
  Invalid

Bug description:
  [Impact]
  Any user with unattended upgrades enabled and DKMS packages in a Secure Boot 
environment might be prompted to change Secure Boot policy, which will fail and 
crash in unattended-upgrades.

  [Test case]
  = unattended upgrade =
  1) Create /var/lib/dkms/TEST-DKMS
  2) Install new package
  3) Trigger unattended-upgrades: unattended-upgrades -d

  Upgrade should run smoothly for all the processing but fail to
  complete; shim-signed should end the unattended upgrade with a error
  as unattended change of the Secure Boot policy can not be done.
  Upgrade should not hang in high CPU usage.

  = standard upgrade =
  1) Create /var/lib/dkms/TEST-DKMS
  2) install new package.
  3) Verify that the upgrade completes normally. 

  
  [Regression Potential]
  Any failure to prompt for or change Secure Boot policy in mokutil while in an 
*attended* upgrade scenario would constitute a regression of this SRU.

  Any other issues related to booting in Secure Boot mode should instead
  be directed to bug 1637290 (shim update).

  ---

  Currently, unattended-upgrades will automatically install all updates
  for those running development releases of Ubuntu (LP: #1649709)

  Today, my computer was acting very sluggish. Looking at my process
  list, I saw/ usr/sbin/update-secureboot-policy was using a log of CPU.

  I killed the process. I have a /var/crash/shim-signed.0.crash but
  since it's 750 MB, I didn't bother submitting it or looking at it
  more. Maybe it crashed because I killed the process. Also, I see that
  unattended-upgrades-dpkg.log is 722 MB.

  Today's update included both VirtualBox and the linux kernel.

  I am attaching an excerpt of /var/log/unattended-upgrades/unattended-
  upgrades-dpkg.log

  This message was repeated a very large number of times (but I only
  included it once in the attachment:

  "Invalid password

  The Secure Boot key you've entered is not valid. The password used must be
  between 8 and 16 characters."

  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: shim-signed 1.23+0.9+1474479173.6c180c6-0ubuntu1
  ProcVersionSignature: Ubuntu 4.10.0-11.13-generic 4.10.1
  Uname: Linux 4.10.0-11-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
  ApportVersion: 2.20.4-0ubuntu2
  Architecture: amd64
  CurrentDesktop: GNOME
  Date: Fri Mar 17 11:15:04 2017
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2017-02-23 (21 days ago)
  InstallationMedia: Ubuntu-GNOME 17.04 "Zesty Zapus" - Alpha amd64 (20170219)
  SourcePackage: shim-signed
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1673817/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1673817] Re: update-secure-boot-policy behaving badly with unattended-upgrades

[Launchpad Bug Tracker]

This bug was fixed in the package shim-signed - 1.27~16.04.1

---
shim-signed (1.27~16.04.1) xenial; urgency=medium

  * Backport shim 0.9+1474479173.6c180c6-1ubuntu1 to 16.04. (LP:
#1637290)

shim-signed (1.27) zesty; urgency=medium

  [ Steve Langasek ]
  * Update to the signed 0.9+1474479173.6c180c6-1ubuntu1 binary from
Microsoft.
  * update-secureboot-policy:
- detect when we have no debconf prompting and error out instead of ending
  up in an infinite loop.  LP: #1673817.
- refactor to make the code easier to follow.
- remove a confusing boolean that would always re-prompt on a request to
  --enable, but not on a request to --disable.

  [ Mathieu Trudel-Lapierre ]
  * update-secureboot-policy:
- some more fixes to properly handle non-interactive mode. (LP: #1673817)

shim-signed (1.23) zesty; urgency=medium

  * debian/control: bump the Depends on grub2-common since that's needed to
install with the new updated EFI binaries filenames.

shim-signed (1.22) yakkety; urgency=medium

  * Update to the signed 0.9+1474479173.6c180c6-0ubuntu1 binary from Microsoft.
(LP: #1581299)
  * Update paths now that the shim binary has been renamed to include the
target architecture.
  * debian/shim-signed.postinst: clean up old MokManager.efi from EFI/ubuntu;
since it's being replaced by mm$arch.efi.

 -- Mathieu Trudel-Lapierre   Thu, 23 Mar 2017
16:58:44 -0400

** Changed in: shim-signed (Ubuntu Xenial)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unattended-upgrades in
Ubuntu.
https://bugs.launchpad.net/bugs/1673817

Title:
  update-secure-boot-policy behaving badly with unattended-upgrades

Status in shim-signed package in Ubuntu:
  Fix Released
Status in unattended-upgrades package in Ubuntu:
  Invalid
Status in shim-signed source package in Trusty:
  New
Status in unattended-upgrades source package in Trusty:
  New
Status in shim-signed source package in Xenial:
  Fix Released
Status in unattended-upgrades source package in Xenial:
  New
Status in shim-signed source package in Yakkety:
  Fix Released
Status in unattended-upgrades source package in Yakkety:
  New

Bug description:
  [Impact]
  Any user with unattended upgrades enabled and DKMS packages in a Secure Boot 
environment might be prompted to change Secure Boot policy, which will fail and 
crash in unattended-upgrades.

  [Test case]
  = unattended upgrade =
  1) Create /var/lib/dkms/TEST-DKMS
  2) Install new package
  3) Trigger unattended-upgrades: unattended-upgrades -d

  Upgrade should run smoothly for all the processing but fail to
  complete; shim-signed should end the unattended upgrade with a error
  as unattended change of the Secure Boot policy can not be done.
  Upgrade should not hang in high CPU usage.

  = standard upgrade =
  1) Create /var/lib/dkms/TEST-DKMS
  2) install new package.
  3) Verify that the upgrade completes normally. 

  
  [Regression Potential]
  Any failure to prompt for or change Secure Boot policy in mokutil while in an 
*attended* upgrade scenario would constitute a regression of this SRU.

  Any other issues related to booting in Secure Boot mode should instead
  be directed to bug 1637290 (shim update).

  ---

  Currently, unattended-upgrades will automatically install all updates
  for those running development releases of Ubuntu (LP: #1649709)

  Today, my computer was acting very sluggish. Looking at my process
  list, I saw/ usr/sbin/update-secureboot-policy was using a log of CPU.

  I killed the process. I have a /var/crash/shim-signed.0.crash but
  since it's 750 MB, I didn't bother submitting it or looking at it
  more. Maybe it crashed because I killed the process. Also, I see that
  unattended-upgrades-dpkg.log is 722 MB.

  Today's update included both VirtualBox and the linux kernel.

  I am attaching an excerpt of /var/log/unattended-upgrades/unattended-
  upgrades-dpkg.log

  This message was repeated a very large number of times (but I only
  included it once in the attachment:

  "Invalid password

  The Secure Boot key you've entered is not valid. The password used must be
  between 8 and 16 characters."

  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: shim-signed 1.23+0.9+1474479173.6c180c6-0ubuntu1
  ProcVersionSignature: Ubuntu 4.10.0-11.13-generic 4.10.1
  Uname: Linux 4.10.0-11-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
  ApportVersion: 2.20.4-0ubuntu2
  Architecture: amd64
  CurrentDesktop: GNOME
  Date: Fri Mar 17 11:15:04 2017
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2017-02-23 (21 days ago)
  InstallationMedia: Ubuntu-GNOME 17.04 "Zesty Zapus" - Alpha amd64 (20170219)
  SourcePackage: shim-signed
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:

[Touch-packages] [Bug 1673817] Re: update-secure-boot-policy behaving badly with unattended-upgrades

[Launchpad Bug Tracker]

This bug was fixed in the package shim-signed - 1.27~16.10.1

---
shim-signed (1.27~16.10.1) yakkety; urgency=medium

  * Backport shim 0.9+1474479173.6c180c6-1ubuntu1 to 16.10. (LP:
#1637290)

shim-signed (1.27) zesty; urgency=medium

  [ Steve Langasek ]
  * Update to the signed 0.9+1474479173.6c180c6-1ubuntu1 binary from
Microsoft.
  * update-secureboot-policy:
- detect when we have no debconf prompting and error out instead of ending
  up in an infinite loop.  LP: #1673817.
- refactor to make the code easier to follow.
- remove a confusing boolean that would always re-prompt on a request to
  --enable, but not on a request to --disable.

  [ Mathieu Trudel-Lapierre ]
  * update-secureboot-policy:
- some more fixes to properly handle non-interactive mode. (LP: #1673817)

shim-signed (1.23) zesty; urgency=medium

  * debian/control: bump the Depends on grub2-common since that's needed to
install with the new updated EFI binaries filenames.

shim-signed (1.22) yakkety; urgency=medium

  * Update to the signed 0.9+1474479173.6c180c6-0ubuntu1 binary from Microsoft.
(LP: #1581299)
  * Update paths now that the shim binary has been renamed to include the
target architecture.
  * debian/shim-signed.postinst: clean up old MokManager.efi from EFI/ubuntu;
since it's being replaced by mm$arch.efi.

 -- Mathieu Trudel-Lapierre   Thu, 23 Mar 2017
16:58:44 -0400

** Changed in: shim-signed (Ubuntu Yakkety)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unattended-upgrades in
Ubuntu.
https://bugs.launchpad.net/bugs/1673817

Title:
  update-secure-boot-policy behaving badly with unattended-upgrades

Status in shim-signed package in Ubuntu:
  Fix Released
Status in unattended-upgrades package in Ubuntu:
  Invalid
Status in shim-signed source package in Trusty:
  New
Status in unattended-upgrades source package in Trusty:
  New
Status in shim-signed source package in Xenial:
  Fix Released
Status in unattended-upgrades source package in Xenial:
  New
Status in shim-signed source package in Yakkety:
  Fix Released
Status in unattended-upgrades source package in Yakkety:
  New

Bug description:
  [Impact]
  Any user with unattended upgrades enabled and DKMS packages in a Secure Boot 
environment might be prompted to change Secure Boot policy, which will fail and 
crash in unattended-upgrades.

  [Test case]
  = unattended upgrade =
  1) Create /var/lib/dkms/TEST-DKMS
  2) Install new package
  3) Trigger unattended-upgrades: unattended-upgrades -d

  Upgrade should run smoothly for all the processing but fail to
  complete; shim-signed should end the unattended upgrade with a error
  as unattended change of the Secure Boot policy can not be done.
  Upgrade should not hang in high CPU usage.

  = standard upgrade =
  1) Create /var/lib/dkms/TEST-DKMS
  2) install new package.
  3) Verify that the upgrade completes normally. 

  
  [Regression Potential]
  Any failure to prompt for or change Secure Boot policy in mokutil while in an 
*attended* upgrade scenario would constitute a regression of this SRU.

  Any other issues related to booting in Secure Boot mode should instead
  be directed to bug 1637290 (shim update).

  ---

  Currently, unattended-upgrades will automatically install all updates
  for those running development releases of Ubuntu (LP: #1649709)

  Today, my computer was acting very sluggish. Looking at my process
  list, I saw/ usr/sbin/update-secureboot-policy was using a log of CPU.

  I killed the process. I have a /var/crash/shim-signed.0.crash but
  since it's 750 MB, I didn't bother submitting it or looking at it
  more. Maybe it crashed because I killed the process. Also, I see that
  unattended-upgrades-dpkg.log is 722 MB.

  Today's update included both VirtualBox and the linux kernel.

  I am attaching an excerpt of /var/log/unattended-upgrades/unattended-
  upgrades-dpkg.log

  This message was repeated a very large number of times (but I only
  included it once in the attachment:

  "Invalid password

  The Secure Boot key you've entered is not valid. The password used must be
  between 8 and 16 characters."

  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: shim-signed 1.23+0.9+1474479173.6c180c6-0ubuntu1
  ProcVersionSignature: Ubuntu 4.10.0-11.13-generic 4.10.1
  Uname: Linux 4.10.0-11-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
  ApportVersion: 2.20.4-0ubuntu2
  Architecture: amd64
  CurrentDesktop: GNOME
  Date: Fri Mar 17 11:15:04 2017
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2017-02-23 (21 days ago)
  InstallationMedia: Ubuntu-GNOME 17.04 "Zesty Zapus" - Alpha amd64 (20170219)
  SourcePackage: shim-signed
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:

[Touch-packages] [Bug 1673817] Re: update-secure-boot-policy behaving badly with unattended-upgrades

[Mathieu Trudel-Lapierre]

Verified shim-signed 1.27~16.04.1 on xenial:

Processing triggers for shared-mime-info (1.5-2ubuntu0.1) ...
Setting up libreoffice-core (1:5.1.6~rc2-0ubuntu1~xenial1) ...
Setting up libreoffice-base-core (1:5.1.6~rc2-0ubuntu1~xenial1) ...
Setting up libreoffice-calc (1:5.1.6~rc2-0ubuntu1~xenial1) ...
Setting up libreoffice-gtk (1:5.1.6~rc2-0ubuntu1~xenial1) ...
Setting up libreoffice-gnome (1:5.1.6~rc2-0ubuntu1~xenial1) ...
Setting up libreoffice-writer (1:5.1.6~rc2-0ubuntu1~xenial1) ...
Setting up libreoffice-draw (1:5.1.6~rc2-0ubuntu1~xenial1) ...
Setting up libreoffice-impress (1:5.1.6~rc2-0ubuntu1~xenial1) ...
Setting up libreoffice-ogltrans (1:5.1.6~rc2-0ubuntu1~xenial1) ...
Setting up libreoffice-pdfimport (1:5.1.6~rc2-0ubuntu1~xenial1) ...
Setting up python3-uno (1:5.1.6~rc2-0ubuntu1~xenial1) ...
Setting up libreoffice-math (1:5.1.6~rc2-0ubuntu1~xenial1) ...
Setting up libreoffice-avmedia-backend-gstreamer (1:5.1.6~rc2-0ubuntu1~xenial1) 
...
Processing triggers for bamfdaemon (0.5.3~bzr0+16.04.20160824-0ubuntu1) ...
Rebuilding /usr/share/applications/bamf-2.index...
Processing triggers for fontconfig (2.11.94-0ubuntu1.1) ...
Processing triggers for libc-bin (2.23-0ubuntu7) ...
Processing triggers for initramfs-tools (0.122ubuntu8.8) ...
update-initramfs: Generating /boot/initrd.img-4.8.0-45-generic
Processing triggers for systemd (229-4ubuntu17) ...
Processing triggers for ureadahead (0.100.0-19) ...
Processing triggers for resolvconf (1.78ubuntu4) ...
Errors were encountered while processing:
 shim-signed
E:Sub-process /usr/bin/dpkg returned an error code (1)
Exception happened during upgrade.
Traceback (most recent call last):
  File "/usr/bin/unattended-upgrade", line 408, in cache_commit
res = cache.commit(install_progress=iprogress)
  File "/usr/lib/python3/dist-packages/apt/cache.py", line 519, in commit
raise SystemError("installArchives() failed")
SystemError: installArchives() failed
Installing the upgrades failed!
error message: 'installArchives() failed'
dpkg returned a error! See 
'/var/log/unattended-upgrades/unattended-upgrades-dpkg.log' for details
marking snap-confine for remove
Packages that are auto removed: 'snap-confine'
(Reading database ... 207712 files and directories currently installed.)
Removing snap-confine (2.23.1) ...
Setting up shim-signed (1.27~16.04.1+0.9+1474479173.6c180c6-1ubuntu1) ...
Installing for x86_64-efi platform.
Installation finished. No error reported.
Running in non-interactive mode, doing nothing.
dpkg: error processing package shim-signed (--configure):
 subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
 shim-signed
E:Sub-process /usr/bin/dpkg returned an error code (1)
Exception happened during upgrade.
Traceback (most recent call last):
  File "/usr/bin/unattended-upgrade", line 408, in cache_commit
res = cache.commit(install_progress=iprogress)
  File "/usr/lib/python3/dist-packages/apt/cache.py", line 519, in commit
raise SystemError("installArchives() failed")
SystemError: installArchives() failed
Auto-removing the packages failed!
Error message: 'installArchives() failed'
dpkg returned an error! See 
'/var/log/unattended-upgrades/unattended-upgrades-dpkg.log' for details
InstCount=0 DelCount=1 BrokenCount=0
Extracting content from 
'/var/log/unattended-upgrades/unattended-upgrades-dpkg.log' since '2017-03-31 
14:08:17'

** Tags removed: verification-needed
** Tags added: verification-done-xenial

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unattended-upgrades in
Ubuntu.
https://bugs.launchpad.net/bugs/1673817

Title:
  update-secure-boot-policy behaving badly with unattended-upgrades

Status in shim-signed package in Ubuntu:
  Fix Released
Status in unattended-upgrades package in Ubuntu:
  Invalid
Status in shim-signed source package in Trusty:
  New
Status in unattended-upgrades source package in Trusty:
  New
Status in shim-signed source package in Xenial:
  Fix Committed
Status in unattended-upgrades source package in Xenial:
  New
Status in shim-signed source package in Yakkety:
  Fix Committed
Status in unattended-upgrades source package in Yakkety:
  New

Bug description:
  [Impact]
  Any user with unattended upgrades enabled and DKMS packages in a Secure Boot 
environment might be prompted to change Secure Boot policy, which will fail and 
crash in unattended-upgrades.

  [Test case]
  = unattended upgrade =
  1) Create /var/lib/dkms/TEST-DKMS
  2) Install new package
  3) Trigger unattended-upgrades: unattended-upgrades -d

  Upgrade should run smoothly for all the processing but fail to
  complete; shim-signed should end the unattended upgrade with a error
  as unattended change of the Secure Boot policy can not be done.
  Upgrade should not hang in high CPU usage.

  = standard upgrade =
  1) Create /var/lib/dkms/TEST-DKMS
  2) install new package.
  3) Verify that the upgrade 

[Touch-packages] [Bug 1673817] Re: update-secure-boot-policy behaving badly with unattended-upgrades

[Mathieu Trudel-Lapierre]

Verified shim-signed 1.27~16.10.1 on yakkety:

Processing triggers for systemd (231-9ubuntu3) ...
Processing triggers for man-db (2.7.5-1) ...
Setting up grub-efi-amd64-bin (2.02~beta2-36ubuntu11.2) ...
Setting up grub2-common (2.02~beta2-36ubuntu11.2) ...
Setting up shim-signed (1.27~16.10.1+0.9+1474479173.6c180c6-1ubuntu1) ...
Installing for x86_64-efi platform.
Installation finished. No error reported.
Running in non-interactive mode, doing nothing.
dpkg: error processing package shim-signed (--configure):
 subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
 shim-signed
E:Sub-process /usr/bin/dpkg returned an error code (1)
Exception happened during upgrade.
Traceback (most recent call last):
  File "/usr/bin/unattended-upgrade", line 410, in cache_commit
res = cache.commit(install_progress=iprogress)
  File "/usr/lib/python3/dist-packages/apt/cache.py", line 529, in commit
raise SystemError("installArchives() failed")
SystemError: installArchives() failed
Installing the upgrades failed!
error message: 'installArchives() failed'
dpkg returned a error! See 
'/var/log/unattended-upgrades/unattended-upgrades-dpkg.log' for details
InstCount=0 DelCount=0 BrokenCount=0
Extracting content from 
'/var/log/unattended-upgrades/unattended-upgrades-dpkg.log' since '2017-03-31 
11:51:24'

This failure is the expected result of unattended upgrades where shim-
signed needs to apply a policy change (or prompt the user for one).
Unattended Secure Boot policy changes are not possible as a password is
required that will be entered on reboot.

** Description changed:

  [Impact]
  Any user with unattended upgrades enabled and DKMS packages in a Secure Boot 
environment might be prompted to change Secure Boot policy, which will fail and 
crash in unattended-upgrades.
  
  [Test case]
- 1) Install new package
- 2) Create /var/lib/dkms/TEST-DKMS
- 3) Reboot triggering unattended-upgrades:
- 
+ = unattended upgrade =
+ 1) Create /var/lib/dkms/TEST-DKMS
+ 2) Install new package
+ 3) Trigger unattended-upgrades: unattended-upgrades -d
  
- Upgrade should run smoothly and complete without issue (see original
- description).
+ Upgrade should run smoothly for all the processing but fail to complete;
+ shim-signed should end the unattended upgrade with a error as unattended
+ change of the Secure Boot policy can not be done. Upgrade should not
+ hang in high CPU usage.
+ 
+ = standard upgrade =
+ 1) Create /var/lib/dkms/TEST-DKMS
+ 2) install new package.
+ 3) Verify that the upgrade completes normally. 
+ 
  
  [Regression Potential]
- Any failure to prompt for or change Secure Boot policy in mokutil (crashes of 
update-secureboot-policy, higher CPU usage, etc.) would constitute a regression 
of this SRU.
+ Any failure to prompt for or change Secure Boot policy in mokutil while in an 
*attended* upgrade scenario would constitute a regression of this SRU.
  
  Any other issues related to booting in Secure Boot mode should instead
  be directed to bug 1637290 (shim update).
  
  ---
  
  Currently, unattended-upgrades will automatically install all updates
  for those running development releases of Ubuntu (LP: #1649709)
  
  Today, my computer was acting very sluggish. Looking at my process list,
  I saw/ usr/sbin/update-secureboot-policy was using a log of CPU.
  
  I killed the process. I have a /var/crash/shim-signed.0.crash but since
  it's 750 MB, I didn't bother submitting it or looking at it more. Maybe
  it crashed because I killed the process. Also, I see that unattended-
  upgrades-dpkg.log is 722 MB.
  
  Today's update included both VirtualBox and the linux kernel.
  
  I am attaching an excerpt of /var/log/unattended-upgrades/unattended-
  upgrades-dpkg.log
  
  This message was repeated a very large number of times (but I only
  included it once in the attachment:
  
  "Invalid password
  
  The Secure Boot key you've entered is not valid. The password used must be
  between 8 and 16 characters."
  
  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: shim-signed 1.23+0.9+1474479173.6c180c6-0ubuntu1
  ProcVersionSignature: Ubuntu 4.10.0-11.13-generic 4.10.1
  Uname: Linux 4.10.0-11-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
  ApportVersion: 2.20.4-0ubuntu2
  Architecture: amd64
  CurrentDesktop: GNOME
  Date: Fri Mar 17 11:15:04 2017
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2017-02-23 (21 days ago)
  InstallationMedia: Ubuntu-GNOME 17.04 "Zesty Zapus" - Alpha amd64 (20170219)
  SourcePackage: shim-signed
  UpgradeStatus: No upgrade log present (probably fresh install)

** Tags added: verification-done-yakkety

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unattended-upgrades in
Ubuntu.
https://bugs.launchpad.net/bugs/1673817

Title:
  update-secure-boot-policy behaving badly with unattended-upgrades

Status in shim-signed 

[Touch-packages] [Bug 1673817] Re: update-secure-boot-policy behaving badly with unattended-upgrades

[Steve Langasek]

Hello Jeremy, or anyone else affected,

Accepted shim-signed into yakkety-proposed. The package will build now
and be available at https://launchpad.net/ubuntu/+source/shim-
signed/1.27~16.10.1 in a few hours, and then in the -proposed
repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: shim-signed (Ubuntu Yakkety)
   Status: New => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unattended-upgrades in
Ubuntu.
https://bugs.launchpad.net/bugs/1673817

Title:
  update-secure-boot-policy behaving badly with unattended-upgrades

Status in shim-signed package in Ubuntu:
  Fix Released
Status in unattended-upgrades package in Ubuntu:
  Invalid
Status in shim-signed source package in Trusty:
  New
Status in unattended-upgrades source package in Trusty:
  New
Status in shim-signed source package in Xenial:
  Fix Committed
Status in unattended-upgrades source package in Xenial:
  New
Status in shim-signed source package in Yakkety:
  Fix Committed
Status in unattended-upgrades source package in Yakkety:
  New

Bug description:
  [Impact]
  Any user with unattended upgrades enabled and DKMS packages in a Secure Boot 
environment might be prompted to change Secure Boot policy, which will fail and 
crash in unattended-upgrades.

  [Test case]
  1) Install new package
  2) Create /var/lib/dkms/TEST-DKMS
  3) Reboot triggering unattended-upgrades:
  

  Upgrade should run smoothly and complete without issue (see original
  description).

  [Regression Potential]
  Any failure to prompt for or change Secure Boot policy in mokutil (crashes of 
update-secureboot-policy, higher CPU usage, etc.) would constitute a regression 
of this SRU.

  Any other issues related to booting in Secure Boot mode should instead
  be directed to bug 1637290 (shim update).

  ---

  Currently, unattended-upgrades will automatically install all updates
  for those running development releases of Ubuntu (LP: #1649709)

  Today, my computer was acting very sluggish. Looking at my process
  list, I saw/ usr/sbin/update-secureboot-policy was using a log of CPU.

  I killed the process. I have a /var/crash/shim-signed.0.crash but
  since it's 750 MB, I didn't bother submitting it or looking at it
  more. Maybe it crashed because I killed the process. Also, I see that
  unattended-upgrades-dpkg.log is 722 MB.

  Today's update included both VirtualBox and the linux kernel.

  I am attaching an excerpt of /var/log/unattended-upgrades/unattended-
  upgrades-dpkg.log

  This message was repeated a very large number of times (but I only
  included it once in the attachment:

  "Invalid password

  The Secure Boot key you've entered is not valid. The password used must be
  between 8 and 16 characters."

  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: shim-signed 1.23+0.9+1474479173.6c180c6-0ubuntu1
  ProcVersionSignature: Ubuntu 4.10.0-11.13-generic 4.10.1
  Uname: Linux 4.10.0-11-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
  ApportVersion: 2.20.4-0ubuntu2
  Architecture: amd64
  CurrentDesktop: GNOME
  Date: Fri Mar 17 11:15:04 2017
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2017-02-23 (21 days ago)
  InstallationMedia: Ubuntu-GNOME 17.04 "Zesty Zapus" - Alpha amd64 (20170219)
  SourcePackage: shim-signed
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1673817/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1673817] Re: update-secure-boot-policy behaving badly with unattended-upgrades

[Steve Langasek]

Hello Jeremy, or anyone else affected,

Accepted shim-signed into xenial-proposed. The package will build now
and be available at https://launchpad.net/ubuntu/+source/shim-
signed/1.27~16.04.1 in a few hours, and then in the -proposed
repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: shim-signed (Ubuntu Xenial)
   Status: New => Fix Committed

** Tags added: verification-needed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unattended-upgrades in
Ubuntu.
https://bugs.launchpad.net/bugs/1673817

Title:
  update-secure-boot-policy behaving badly with unattended-upgrades

Status in shim-signed package in Ubuntu:
  Fix Released
Status in unattended-upgrades package in Ubuntu:
  Invalid
Status in shim-signed source package in Trusty:
  New
Status in unattended-upgrades source package in Trusty:
  New
Status in shim-signed source package in Xenial:
  Fix Committed
Status in unattended-upgrades source package in Xenial:
  New
Status in shim-signed source package in Yakkety:
  New
Status in unattended-upgrades source package in Yakkety:
  New

Bug description:
  [Impact]
  Any user with unattended upgrades enabled and DKMS packages in a Secure Boot 
environment might be prompted to change Secure Boot policy, which will fail and 
crash in unattended-upgrades.

  [Test case]
  1) Install new package
  2) Create /var/lib/dkms/TEST-DKMS
  3) Reboot triggering unattended-upgrades:
  

  Upgrade should run smoothly and complete without issue (see original
  description).

  [Regression Potential]
  Any failure to prompt for or change Secure Boot policy in mokutil (crashes of 
update-secureboot-policy, higher CPU usage, etc.) would constitute a regression 
of this SRU.

  Any other issues related to booting in Secure Boot mode should instead
  be directed to bug 1637290 (shim update).

  ---

  Currently, unattended-upgrades will automatically install all updates
  for those running development releases of Ubuntu (LP: #1649709)

  Today, my computer was acting very sluggish. Looking at my process
  list, I saw/ usr/sbin/update-secureboot-policy was using a log of CPU.

  I killed the process. I have a /var/crash/shim-signed.0.crash but
  since it's 750 MB, I didn't bother submitting it or looking at it
  more. Maybe it crashed because I killed the process. Also, I see that
  unattended-upgrades-dpkg.log is 722 MB.

  Today's update included both VirtualBox and the linux kernel.

  I am attaching an excerpt of /var/log/unattended-upgrades/unattended-
  upgrades-dpkg.log

  This message was repeated a very large number of times (but I only
  included it once in the attachment:

  "Invalid password

  The Secure Boot key you've entered is not valid. The password used must be
  between 8 and 16 characters."

  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: shim-signed 1.23+0.9+1474479173.6c180c6-0ubuntu1
  ProcVersionSignature: Ubuntu 4.10.0-11.13-generic 4.10.1
  Uname: Linux 4.10.0-11-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
  ApportVersion: 2.20.4-0ubuntu2
  Architecture: amd64
  CurrentDesktop: GNOME
  Date: Fri Mar 17 11:15:04 2017
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2017-02-23 (21 days ago)
  InstallationMedia: Ubuntu-GNOME 17.04 "Zesty Zapus" - Alpha amd64 (20170219)
  SourcePackage: shim-signed
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1673817/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1673817] Re: update-secure-boot-policy behaving badly with unattended-upgrades

[Mathieu Trudel-Lapierre]

** Description changed:

+ [Impact]
+ Any user with unattended upgrades enabled and DKMS packages in a Secure Boot 
environment might be prompted to change Secure Boot policy, which will fail and 
crash in unattended-upgrades.
+ 
+ [Test case]
+ 1) Install new package
+ 2) Create /var/lib/dkms/TEST-DKMS
+ 3) Reboot triggering unattended-upgrades:
+ 
+ 
+ Upgrade should run smoothly and complete without issue (see original
+ description).
+ 
+ [Regression Potential]
+ Any failure to prompt for or change Secure Boot policy in mokutil (crashes of 
update-secureboot-policy, higher CPU usage, etc.) would constitute a regression 
of this SRU.
+ 
+ Any other issues related to booting in Secure Boot mode should instead
+ be directed to bug 1637290 (shim update).
+ 
+ ---
+ 
  Currently, unattended-upgrades will automatically install all updates
  for those running development releases of Ubuntu (LP: #1649709)
  
  Today, my computer was acting very sluggish. Looking at my process list,
  I saw/ usr/sbin/update-secureboot-policy was using a log of CPU.
  
  I killed the process. I have a /var/crash/shim-signed.0.crash but since
  it's 750 MB, I didn't bother submitting it or looking at it more. Maybe
  it crashed because I killed the process. Also, I see that unattended-
  upgrades-dpkg.log is 722 MB.
  
  Today's update included both VirtualBox and the linux kernel.
  
  I am attaching an excerpt of /var/log/unattended-upgrades/unattended-
  upgrades-dpkg.log
  
  This message was repeated a very large number of times (but I only
  included it once in the attachment:
  
  "Invalid password
  
- The Secure Boot key you've entered is not valid. The password used must be 
+ The Secure Boot key you've entered is not valid. The password used must be
  between 8 and 16 characters."
  
  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: shim-signed 1.23+0.9+1474479173.6c180c6-0ubuntu1
  ProcVersionSignature: Ubuntu 4.10.0-11.13-generic 4.10.1
  Uname: Linux 4.10.0-11-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
  ApportVersion: 2.20.4-0ubuntu2
  Architecture: amd64
  CurrentDesktop: GNOME
  Date: Fri Mar 17 11:15:04 2017
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2017-02-23 (21 days ago)
  InstallationMedia: Ubuntu-GNOME 17.04 "Zesty Zapus" - Alpha amd64 (20170219)
  SourcePackage: shim-signed
  UpgradeStatus: No upgrade log present (probably fresh install)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unattended-upgrades in
Ubuntu.
https://bugs.launchpad.net/bugs/1673817

Title:
  update-secure-boot-policy behaving badly with unattended-upgrades

Status in shim-signed package in Ubuntu:
  Fix Released
Status in unattended-upgrades package in Ubuntu:
  Invalid
Status in shim-signed source package in Trusty:
  New
Status in unattended-upgrades source package in Trusty:
  New
Status in shim-signed source package in Xenial:
  New
Status in unattended-upgrades source package in Xenial:
  New
Status in shim-signed source package in Yakkety:
  New
Status in unattended-upgrades source package in Yakkety:
  New

Bug description:
  [Impact]
  Any user with unattended upgrades enabled and DKMS packages in a Secure Boot 
environment might be prompted to change Secure Boot policy, which will fail and 
crash in unattended-upgrades.

  [Test case]
  1) Install new package
  2) Create /var/lib/dkms/TEST-DKMS
  3) Reboot triggering unattended-upgrades:
  

  Upgrade should run smoothly and complete without issue (see original
  description).

  [Regression Potential]
  Any failure to prompt for or change Secure Boot policy in mokutil (crashes of 
update-secureboot-policy, higher CPU usage, etc.) would constitute a regression 
of this SRU.

  Any other issues related to booting in Secure Boot mode should instead
  be directed to bug 1637290 (shim update).

  ---

  Currently, unattended-upgrades will automatically install all updates
  for those running development releases of Ubuntu (LP: #1649709)

  Today, my computer was acting very sluggish. Looking at my process
  list, I saw/ usr/sbin/update-secureboot-policy was using a log of CPU.

  I killed the process. I have a /var/crash/shim-signed.0.crash but
  since it's 750 MB, I didn't bother submitting it or looking at it
  more. Maybe it crashed because I killed the process. Also, I see that
  unattended-upgrades-dpkg.log is 722 MB.

  Today's update included both VirtualBox and the linux kernel.

  I am attaching an excerpt of /var/log/unattended-upgrades/unattended-
  upgrades-dpkg.log

  This message was repeated a very large number of times (but I only
  included it once in the attachment:

  "Invalid password

  The Secure Boot key you've entered is not valid. The password used must be
  between 8 and 16 characters."

  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: shim-signed 1.23+0.9+1474479173.6c180c6-0ubuntu1
  ProcVersionSignature: Ubuntu 

[Touch-packages] [Bug 1673817] Re: update-secure-boot-policy behaving badly with unattended-upgrades

[Mathieu Trudel-Lapierre]

** Also affects: unattended-upgrades (Ubuntu Yakkety)
   Importance: Undecided
   Status: New

** Also affects: shim-signed (Ubuntu Yakkety)
   Importance: Undecided
   Status: New

** Also affects: unattended-upgrades (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Also affects: shim-signed (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Also affects: unattended-upgrades (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: shim-signed (Ubuntu Xenial)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unattended-upgrades in
Ubuntu.
https://bugs.launchpad.net/bugs/1673817

Title:
  update-secure-boot-policy behaving badly with unattended-upgrades

Status in shim-signed package in Ubuntu:
  Fix Released
Status in unattended-upgrades package in Ubuntu:
  Invalid
Status in shim-signed source package in Trusty:
  New
Status in unattended-upgrades source package in Trusty:
  New
Status in shim-signed source package in Xenial:
  New
Status in unattended-upgrades source package in Xenial:
  New
Status in shim-signed source package in Yakkety:
  New
Status in unattended-upgrades source package in Yakkety:
  New

Bug description:
  [Impact]
  Any user with unattended upgrades enabled and DKMS packages in a Secure Boot 
environment might be prompted to change Secure Boot policy, which will fail and 
crash in unattended-upgrades.

  [Test case]
  1) Install new package
  2) Create /var/lib/dkms/TEST-DKMS
  3) Reboot triggering unattended-upgrades:
  

  Upgrade should run smoothly and complete without issue (see original
  description).

  [Regression Potential]
  Any failure to prompt for or change Secure Boot policy in mokutil (crashes of 
update-secureboot-policy, higher CPU usage, etc.) would constitute a regression 
of this SRU.

  Any other issues related to booting in Secure Boot mode should instead
  be directed to bug 1637290 (shim update).

  ---

  Currently, unattended-upgrades will automatically install all updates
  for those running development releases of Ubuntu (LP: #1649709)

  Today, my computer was acting very sluggish. Looking at my process
  list, I saw/ usr/sbin/update-secureboot-policy was using a log of CPU.

  I killed the process. I have a /var/crash/shim-signed.0.crash but
  since it's 750 MB, I didn't bother submitting it or looking at it
  more. Maybe it crashed because I killed the process. Also, I see that
  unattended-upgrades-dpkg.log is 722 MB.

  Today's update included both VirtualBox and the linux kernel.

  I am attaching an excerpt of /var/log/unattended-upgrades/unattended-
  upgrades-dpkg.log

  This message was repeated a very large number of times (but I only
  included it once in the attachment:

  "Invalid password

  The Secure Boot key you've entered is not valid. The password used must be
  between 8 and 16 characters."

  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: shim-signed 1.23+0.9+1474479173.6c180c6-0ubuntu1
  ProcVersionSignature: Ubuntu 4.10.0-11.13-generic 4.10.1
  Uname: Linux 4.10.0-11-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
  ApportVersion: 2.20.4-0ubuntu2
  Architecture: amd64
  CurrentDesktop: GNOME
  Date: Fri Mar 17 11:15:04 2017
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2017-02-23 (21 days ago)
  InstallationMedia: Ubuntu-GNOME 17.04 "Zesty Zapus" - Alpha amd64 (20170219)
  SourcePackage: shim-signed
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1673817/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1673817] Re: update-secure-boot-policy behaving badly with unattended-upgrades

[Launchpad Bug Tracker]

This bug was fixed in the package shim-signed - 1.27

---
shim-signed (1.27) zesty; urgency=medium

  [ Steve Langasek ]
  * Update to the signed 0.9+1474479173.6c180c6-1ubuntu1 binary from
Microsoft.
  * update-secureboot-policy:
- detect when we have no debconf prompting and error out instead of ending
  up in an infinite loop.  LP: #1673817.
- refactor to make the code easier to follow.
- remove a confusing boolean that would always re-prompt on a request to
  --enable, but not on a request to --disable.

  [ Mathieu Trudel-Lapierre ]
  * update-secureboot-policy:
- some more fixes to properly handle non-interactive mode. (LP: #1673817)

 -- Mathieu Trudel-Lapierre   Tue, 21 Mar 2017
14:28:46 -0400

** Changed in: shim-signed (Ubuntu)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unattended-upgrades in
Ubuntu.
https://bugs.launchpad.net/bugs/1673817

Title:
  update-secure-boot-policy behaving badly with unattended-upgrades

Status in shim-signed package in Ubuntu:
  Fix Released
Status in unattended-upgrades package in Ubuntu:
  Invalid

Bug description:
  Currently, unattended-upgrades will automatically install all updates
  for those running development releases of Ubuntu (LP: #1649709)

  Today, my computer was acting very sluggish. Looking at my process
  list, I saw/ usr/sbin/update-secureboot-policy was using a log of CPU.

  I killed the process. I have a /var/crash/shim-signed.0.crash but
  since it's 750 MB, I didn't bother submitting it or looking at it
  more. Maybe it crashed because I killed the process. Also, I see that
  unattended-upgrades-dpkg.log is 722 MB.

  Today's update included both VirtualBox and the linux kernel.

  I am attaching an excerpt of /var/log/unattended-upgrades/unattended-
  upgrades-dpkg.log

  This message was repeated a very large number of times (but I only
  included it once in the attachment:

  "Invalid password

  The Secure Boot key you've entered is not valid. The password used must be 
  between 8 and 16 characters."

  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: shim-signed 1.23+0.9+1474479173.6c180c6-0ubuntu1
  ProcVersionSignature: Ubuntu 4.10.0-11.13-generic 4.10.1
  Uname: Linux 4.10.0-11-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
  ApportVersion: 2.20.4-0ubuntu2
  Architecture: amd64
  CurrentDesktop: GNOME
  Date: Fri Mar 17 11:15:04 2017
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2017-02-23 (21 days ago)
  InstallationMedia: Ubuntu-GNOME 17.04 "Zesty Zapus" - Alpha amd64 (20170219)
  SourcePackage: shim-signed
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1673817/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1673817] Re: update-secure-boot-policy behaving badly with unattended-upgrades

[Mathieu Trudel-Lapierre]

** Changed in: shim-signed (Ubuntu)
Milestone: None => ubuntu-17.03

** Changed in: shim-signed (Ubuntu)
   Status: Incomplete => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unattended-upgrades in
Ubuntu.
https://bugs.launchpad.net/bugs/1673817

Title:
  update-secure-boot-policy behaving badly with unattended-upgrades

Status in shim-signed package in Ubuntu:
  In Progress
Status in unattended-upgrades package in Ubuntu:
  Invalid

Bug description:
  Currently, unattended-upgrades will automatically install all updates
  for those running development releases of Ubuntu (LP: #1649709)

  Today, my computer was acting very sluggish. Looking at my process
  list, I saw/ usr/sbin/update-secureboot-policy was using a log of CPU.

  I killed the process. I have a /var/crash/shim-signed.0.crash but
  since it's 750 MB, I didn't bother submitting it or looking at it
  more. Maybe it crashed because I killed the process. Also, I see that
  unattended-upgrades-dpkg.log is 722 MB.

  Today's update included both VirtualBox and the linux kernel.

  I am attaching an excerpt of /var/log/unattended-upgrades/unattended-
  upgrades-dpkg.log

  This message was repeated a very large number of times (but I only
  included it once in the attachment:

  "Invalid password

  The Secure Boot key you've entered is not valid. The password used must be 
  between 8 and 16 characters."

  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: shim-signed 1.23+0.9+1474479173.6c180c6-0ubuntu1
  ProcVersionSignature: Ubuntu 4.10.0-11.13-generic 4.10.1
  Uname: Linux 4.10.0-11-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
  ApportVersion: 2.20.4-0ubuntu2
  Architecture: amd64
  CurrentDesktop: GNOME
  Date: Fri Mar 17 11:15:04 2017
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2017-02-23 (21 days ago)
  InstallationMedia: Ubuntu-GNOME 17.04 "Zesty Zapus" - Alpha amd64 (20170219)
  SourcePackage: shim-signed
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1673817/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1673817] Re: update-secure-boot-policy behaving badly with unattended-upgrades

[Brian Murray]

** Tags added: rls-z-incoming

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unattended-upgrades in
Ubuntu.
https://bugs.launchpad.net/bugs/1673817

Title:
  update-secure-boot-policy behaving badly with unattended-upgrades

Status in shim-signed package in Ubuntu:
  Incomplete
Status in unattended-upgrades package in Ubuntu:
  Invalid

Bug description:
  Currently, unattended-upgrades will automatically install all updates
  for those running development releases of Ubuntu (LP: #1649709)

  Today, my computer was acting very sluggish. Looking at my process
  list, I saw/ usr/sbin/update-secureboot-policy was using a log of CPU.

  I killed the process. I have a /var/crash/shim-signed.0.crash but
  since it's 750 MB, I didn't bother submitting it or looking at it
  more. Maybe it crashed because I killed the process. Also, I see that
  unattended-upgrades-dpkg.log is 722 MB.

  Today's update included both VirtualBox and the linux kernel.

  I am attaching an excerpt of /var/log/unattended-upgrades/unattended-
  upgrades-dpkg.log

  This message was repeated a very large number of times (but I only
  included it once in the attachment:

  "Invalid password

  The Secure Boot key you've entered is not valid. The password used must be 
  between 8 and 16 characters."

  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: shim-signed 1.23+0.9+1474479173.6c180c6-0ubuntu1
  ProcVersionSignature: Ubuntu 4.10.0-11.13-generic 4.10.1
  Uname: Linux 4.10.0-11-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
  ApportVersion: 2.20.4-0ubuntu2
  Architecture: amd64
  CurrentDesktop: GNOME
  Date: Fri Mar 17 11:15:04 2017
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2017-02-23 (21 days ago)
  InstallationMedia: Ubuntu-GNOME 17.04 "Zesty Zapus" - Alpha amd64 (20170219)
  SourcePackage: shim-signed
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1673817/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1673817] Re: update-secure-boot-policy behaving badly with unattended-upgrades

[Steve Langasek]

Per my last comment on IRC, I think 'exit 1' is actually better here
because we aren't taking the specified action.  grub calls update-
secureboot-policy || true, but that just sets the trigger anyway.  shim-
signed calls without the || true, and so the trigger will fail under
this condition.  But ultimately it's going to fail no matter what, we're
better off failing immediately instead of only when someone notices the
full logs and kills the process.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unattended-upgrades in
Ubuntu.
https://bugs.launchpad.net/bugs/1673817

Title:
  update-secure-boot-policy behaving badly with unattended-upgrades

Status in shim-signed package in Ubuntu:
  Incomplete
Status in unattended-upgrades package in Ubuntu:
  Invalid

Bug description:
  Currently, unattended-upgrades will automatically install all updates
  for those running development releases of Ubuntu (LP: #1649709)

  Today, my computer was acting very sluggish. Looking at my process
  list, I saw/ usr/sbin/update-secureboot-policy was using a log of CPU.

  I killed the process. I have a /var/crash/shim-signed.0.crash but
  since it's 750 MB, I didn't bother submitting it or looking at it
  more. Maybe it crashed because I killed the process. Also, I see that
  unattended-upgrades-dpkg.log is 722 MB.

  Today's update included both VirtualBox and the linux kernel.

  I am attaching an excerpt of /var/log/unattended-upgrades/unattended-
  upgrades-dpkg.log

  This message was repeated a very large number of times (but I only
  included it once in the attachment:

  "Invalid password

  The Secure Boot key you've entered is not valid. The password used must be 
  between 8 and 16 characters."

  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: shim-signed 1.23+0.9+1474479173.6c180c6-0ubuntu1
  ProcVersionSignature: Ubuntu 4.10.0-11.13-generic 4.10.1
  Uname: Linux 4.10.0-11-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
  ApportVersion: 2.20.4-0ubuntu2
  Architecture: amd64
  CurrentDesktop: GNOME
  Date: Fri Mar 17 11:15:04 2017
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2017-02-23 (21 days ago)
  InstallationMedia: Ubuntu-GNOME 17.04 "Zesty Zapus" - Alpha amd64 (20170219)
  SourcePackage: shim-signed
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1673817/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Re: [Touch-packages] [Bug 1673817] Re: update-secure-boot-policy behaving badly with unattended-upgrades

[Steve Langasek]

On Fri, Mar 17, 2017 at 03:52:28PM -, Mathieu Trudel-Lapierre wrote:
> What is the content of the following files?

> /proc/sys/kernel/secure_boot
> /proc/sys/kernel/moksbstate_disabled

This shouldn't matter for solving this bug.  I believe the only thing you
need is, at line 83 when checking the secureboot_key values:

if [ -z "$key" ] && [ -z "$again" ] && \
   ! db_fget shim/${action}_secureboot seen && \
   ! db_fget shim/secureboot_key seen
then
echo 'no key given in non-interactive mode; doing 
nothing'
exit 0
fi

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unattended-upgrades in
Ubuntu.
https://bugs.launchpad.net/bugs/1673817

Title:
  update-secure-boot-policy behaving badly with unattended-upgrades

Status in shim-signed package in Ubuntu:
  Incomplete
Status in unattended-upgrades package in Ubuntu:
  Invalid

Bug description:
  Currently, unattended-upgrades will automatically install all updates
  for those running development releases of Ubuntu (LP: #1649709)

  Today, my computer was acting very sluggish. Looking at my process
  list, I saw/ usr/sbin/update-secureboot-policy was using a log of CPU.

  I killed the process. I have a /var/crash/shim-signed.0.crash but
  since it's 750 MB, I didn't bother submitting it or looking at it
  more. Maybe it crashed because I killed the process. Also, I see that
  unattended-upgrades-dpkg.log is 722 MB.

  Today's update included both VirtualBox and the linux kernel.

  I am attaching an excerpt of /var/log/unattended-upgrades/unattended-
  upgrades-dpkg.log

  This message was repeated a very large number of times (but I only
  included it once in the attachment:

  "Invalid password

  The Secure Boot key you've entered is not valid. The password used must be 
  between 8 and 16 characters."

  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: shim-signed 1.23+0.9+1474479173.6c180c6-0ubuntu1
  ProcVersionSignature: Ubuntu 4.10.0-11.13-generic 4.10.1
  Uname: Linux 4.10.0-11-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
  ApportVersion: 2.20.4-0ubuntu2
  Architecture: amd64
  CurrentDesktop: GNOME
  Date: Fri Mar 17 11:15:04 2017
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2017-02-23 (21 days ago)
  InstallationMedia: Ubuntu-GNOME 17.04 "Zesty Zapus" - Alpha amd64 (20170219)
  SourcePackage: shim-signed
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1673817/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1673817] Re: update-secure-boot-policy behaving badly with unattended-upgrades

[Jeremy Bicha]

Both are 0 now.

After filing the bug report, I did a dist-upgrade and choose not to
disable secure boot when prompted (because it was already disabled or
else VirtualBox wouldn't be working).

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unattended-upgrades in
Ubuntu.
https://bugs.launchpad.net/bugs/1673817

Title:
  update-secure-boot-policy behaving badly with unattended-upgrades

Status in shim-signed package in Ubuntu:
  Incomplete
Status in unattended-upgrades package in Ubuntu:
  Invalid

Bug description:
  Currently, unattended-upgrades will automatically install all updates
  for those running development releases of Ubuntu (LP: #1649709)

  Today, my computer was acting very sluggish. Looking at my process
  list, I saw/ usr/sbin/update-secureboot-policy was using a log of CPU.

  I killed the process. I have a /var/crash/shim-signed.0.crash but
  since it's 750 MB, I didn't bother submitting it or looking at it
  more. Maybe it crashed because I killed the process. Also, I see that
  unattended-upgrades-dpkg.log is 722 MB.

  Today's update included both VirtualBox and the linux kernel.

  I am attaching an excerpt of /var/log/unattended-upgrades/unattended-
  upgrades-dpkg.log

  This message was repeated a very large number of times (but I only
  included it once in the attachment:

  "Invalid password

  The Secure Boot key you've entered is not valid. The password used must be 
  between 8 and 16 characters."

  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: shim-signed 1.23+0.9+1474479173.6c180c6-0ubuntu1
  ProcVersionSignature: Ubuntu 4.10.0-11.13-generic 4.10.1
  Uname: Linux 4.10.0-11-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
  ApportVersion: 2.20.4-0ubuntu2
  Architecture: amd64
  CurrentDesktop: GNOME
  Date: Fri Mar 17 11:15:04 2017
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2017-02-23 (21 days ago)
  InstallationMedia: Ubuntu-GNOME 17.04 "Zesty Zapus" - Alpha amd64 (20170219)
  SourcePackage: shim-signed
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1673817/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1673817] Re: update-secure-boot-policy behaving badly with unattended-upgrades

[Mathieu Trudel-Lapierre]

What is the content of the following files?

/proc/sys/kernel/secure_boot
/proc/sys/kernel/moksbstate_disabled

** Changed in: shim-signed (Ubuntu)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unattended-upgrades in
Ubuntu.
https://bugs.launchpad.net/bugs/1673817

Title:
  update-secure-boot-policy behaving badly with unattended-upgrades

Status in shim-signed package in Ubuntu:
  Incomplete
Status in unattended-upgrades package in Ubuntu:
  Invalid

Bug description:
  Currently, unattended-upgrades will automatically install all updates
  for those running development releases of Ubuntu (LP: #1649709)

  Today, my computer was acting very sluggish. Looking at my process
  list, I saw/ usr/sbin/update-secureboot-policy was using a log of CPU.

  I killed the process. I have a /var/crash/shim-signed.0.crash but
  since it's 750 MB, I didn't bother submitting it or looking at it
  more. Maybe it crashed because I killed the process. Also, I see that
  unattended-upgrades-dpkg.log is 722 MB.

  Today's update included both VirtualBox and the linux kernel.

  I am attaching an excerpt of /var/log/unattended-upgrades/unattended-
  upgrades-dpkg.log

  This message was repeated a very large number of times (but I only
  included it once in the attachment:

  "Invalid password

  The Secure Boot key you've entered is not valid. The password used must be 
  between 8 and 16 characters."

  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: shim-signed 1.23+0.9+1474479173.6c180c6-0ubuntu1
  ProcVersionSignature: Ubuntu 4.10.0-11.13-generic 4.10.1
  Uname: Linux 4.10.0-11-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
  ApportVersion: 2.20.4-0ubuntu2
  Architecture: amd64
  CurrentDesktop: GNOME
  Date: Fri Mar 17 11:15:04 2017
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2017-02-23 (21 days ago)
  InstallationMedia: Ubuntu-GNOME 17.04 "Zesty Zapus" - Alpha amd64 (20170219)
  SourcePackage: shim-signed
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1673817/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1673817] Re: update-secure-boot-policy behaving badly with unattended-upgrades

[Adam Conrad]

** Changed in: unattended-upgrades (Ubuntu)
   Status: New => Invalid

** Changed in: shim-signed (Ubuntu)
 Assignee: (unassigned) => Mathieu Trudel-Lapierre (cyphermox)

** Changed in: shim-signed (Ubuntu)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unattended-upgrades in
Ubuntu.
https://bugs.launchpad.net/bugs/1673817

Title:
  update-secure-boot-policy behaving badly with unattended-upgrades

Status in shim-signed package in Ubuntu:
  New
Status in unattended-upgrades package in Ubuntu:
  Invalid

Bug description:
  Currently, unattended-upgrades will automatically install all updates
  for those running development releases of Ubuntu (LP: #1649709)

  Today, my computer was acting very sluggish. Looking at my process
  list, I saw/ usr/sbin/update-secureboot-policy was using a log of CPU.

  I killed the process. I have a /var/crash/shim-signed.0.crash but
  since it's 750 MB, I didn't bother submitting it or looking at it
  more. Maybe it crashed because I killed the process. Also, I see that
  unattended-upgrades-dpkg.log is 722 MB.

  Today's update included both VirtualBox and the linux kernel.

  I am attaching an excerpt of /var/log/unattended-upgrades/unattended-
  upgrades-dpkg.log

  This message was repeated a very large number of times (but I only
  included it once in the attachment:

  "Invalid password

  The Secure Boot key you've entered is not valid. The password used must be 
  between 8 and 16 characters."

  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: shim-signed 1.23+0.9+1474479173.6c180c6-0ubuntu1
  ProcVersionSignature: Ubuntu 4.10.0-11.13-generic 4.10.1
  Uname: Linux 4.10.0-11-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
  ApportVersion: 2.20.4-0ubuntu2
  Architecture: amd64
  CurrentDesktop: GNOME
  Date: Fri Mar 17 11:15:04 2017
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2017-02-23 (21 days ago)
  InstallationMedia: Ubuntu-GNOME 17.04 "Zesty Zapus" - Alpha amd64 (20170219)
  SourcePackage: shim-signed
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1673817/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1673817] Re: update-secure-boot-policy behaving badly with unattended-upgrades

[Jeremy Bicha]

** Attachment added: "unattended-upgrades-dpkg.log"
   
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1673817/+attachment/4839527/+files/unattended-upgrades-dpkg.log

** Attachment removed: "JournalErrors.txt"
   
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1673817/+attachment/4839525/+files/JournalErrors.txt

** Attachment removed: "BootEFIContents.txt"
   
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1673817/+attachment/4839522/+files/BootEFIContents.txt

** Attachment removed: "EFIBootMgr.txt"
   
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1673817/+attachment/4839524/+files/EFIBootMgr.txt

** Also affects: unattended-upgrades (Ubuntu)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unattended-upgrades in
Ubuntu.
https://bugs.launchpad.net/bugs/1673817

Title:
  update-secure-boot-policy behaving badly with unattended-upgrades

Status in shim-signed package in Ubuntu:
  New
Status in unattended-upgrades package in Ubuntu:
  Invalid

Bug description:
  Currently, unattended-upgrades will automatically install all updates
  for those running development releases of Ubuntu (LP: #1649709)

  Today, my computer was acting very sluggish. Looking at my process
  list, I saw/ usr/sbin/update-secureboot-policy was using a log of CPU.

  I killed the process. I have a /var/crash/shim-signed.0.crash but
  since it's 750 MB, I didn't bother submitting it or looking at it
  more. Maybe it crashed because I killed the process. Also, I see that
  unattended-upgrades-dpkg.log is 722 MB.

  Today's update included both VirtualBox and the linux kernel.

  I am attaching an excerpt of /var/log/unattended-upgrades/unattended-
  upgrades-dpkg.log

  This message was repeated a very large number of times (but I only
  included it once in the attachment:

  "Invalid password

  The Secure Boot key you've entered is not valid. The password used must be 
  between 8 and 16 characters."

  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: shim-signed 1.23+0.9+1474479173.6c180c6-0ubuntu1
  ProcVersionSignature: Ubuntu 4.10.0-11.13-generic 4.10.1
  Uname: Linux 4.10.0-11-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
  ApportVersion: 2.20.4-0ubuntu2
  Architecture: amd64
  CurrentDesktop: GNOME
  Date: Fri Mar 17 11:15:04 2017
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2017-02-23 (21 days ago)
  InstallationMedia: Ubuntu-GNOME 17.04 "Zesty Zapus" - Alpha amd64 (20170219)
  SourcePackage: shim-signed
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1673817/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp