[Bug 1814575] Re: Updates failing because "db is empty"
This bug was fixed in the package grub2 - 2.02+dfsg1-5ubuntu8.2 --- grub2 (2.02+dfsg1-5ubuntu8.2) cosmic; urgency=medium [ Mathieu Trudel-Lapierre ] * debian/grub-check-signatures: properly account for DB showing as empty on some broken firmwares: Guard against mokutil --export --db failing, and do a better job at finding the DER certs for conversion to PEM format. (LP: #1814575) [ Steve Langasek ] * debian/patches/quick-boot-lvm.patch: checking the return value of 'lsefi' when the command doesn't exist does not do what's expected, so instead check the value of $grub_platform which is simpler anyway. LP: #1814403. -- Mathieu Trudel-Lapierre Tue, 05 Feb 2019 11:05:56 -0500 ** Changed in: grub2 (Ubuntu Cosmic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1814575 Title: Updates failing because "db is empty" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1814575/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1814575] Re: Updates failing because "db is empty"
Verification-done on cosmic with grub2/2.02+dfsg1-5ubuntu8.2, grub2-signed/1.110.2: Upgrading grub in the presence of an unsigned kernel (copied existing vmlinuz and ran 'sbattach --remove') leads to a failing upgrade, as expected. Despite 'mokutil --export --db' returning an error "db is empty", if all kernels present are correctly signed the upgrade completes without issues. ** Tags removed: verification-needed verification-needed-cosmic ** Tags added: verification-done-cosmic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1814575 Title: Updates failing because "db is empty" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1814575/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1814575] Re: Updates failing because "db is empty"
This bug was fixed in the package grub2 - 2.02-2ubuntu8.12 --- grub2 (2.02-2ubuntu8.12) bionic; urgency=medium * debian/grub-check-signatures: make sure grub-check-signatures conserves its execute bit. grub2 (2.02-2ubuntu8.11) bionic; urgency=medium [ Mathieu Trudel-Lapierre ] * debian/grub-check-signatures: properly account for DB showing as empty on some broken firmwares: Guard against mokutil --export --db failing, and do a better job at finding the DER certs for conversion to PEM format. (LP: #1814575) * debian/patches/linuxefi_disable_sb_fallback.patch: Disallow unsigned kernels if UEFI Secure Boot is enabled. If UEFI Secure Boot is enabled and kernel signature verification fails, do not boot the kernel. Patch from Linn Crosetto. (LP: #1401532) [ Steve Langasek ] * debian/patches/quick-boot-lvm.patch: checking the return value of 'lsefi' when the command doesn't exist does not do what's expected, so instead check the value of $grub_platform which is simpler anyway. LP: #1814403. -- Mathieu Trudel-Lapierre Thu, 07 Feb 2019 18:20:04 -0500 ** Changed in: grub2 (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1814575 Title: Updates failing because "db is empty" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1814575/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1814575] Re: Updates failing because "db is empty"
This bug was fixed in the package grub2-signed - 1.93.13 --- grub2-signed (1.93.13) bionic; urgency=medium * Rebuild against grub2 2.02-2ubuntu8.12. grub2-signed (1.93.12) bionic; urgency=medium * Rebuild against grub2 2.02-2ubuntu8.11. (LP: #1401532) (LP: #1814403) (LP: #1814575) -- Mathieu Trudel-Lapierre Thu, 07 Feb 2019 19:28:09 -0500 ** Changed in: grub2-signed (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1814575 Title: Updates failing because "db is empty" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1814575/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1814575] Re: Updates failing because "db is empty"
Verification-done for bionic using grub2/2.02-2ubuntu8.12, grub2-signed/1.93.13: I have checked that running upgrade in the presence of an unsigned kernel leads to a failing upgrade, and if no unsigned/incorrectly signed kernel is present the upgrade will work fine. Similarly, running /usr/share/grub/grub-check-signatures behaves as expected, warning if the presence of an unsigned kernel is found. System appears to behave correctly despite "db is empty" error when running mokutil --db separately. ** Tags removed: verification-needed-bionic ** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1814575 Title: Updates failing because "db is empty" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1814575/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1814575] Re: Updates failing because "db is empty"
Hello Mathieu, or anyone else affected, Accepted grub2-signed into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-signed/1.93.12 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: grub2-signed (Ubuntu Bionic) Status: New => Fix Committed ** Changed in: grub2-signed (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1814575 Title: Updates failing because "db is empty" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1814575/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1814575] Re: Updates failing because "db is empty"
Hello Mathieu, or anyone else affected, Accepted grub2 into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2/2.02-2ubuntu8.11 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: grub2 (Ubuntu Bionic) Status: New => Fix Committed ** Tags added: verification-needed-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1814575 Title: Updates failing because "db is empty" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1814575/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1814575] Re: Updates failing because "db is empty"
** Also affects: grub2-signed (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1814575 Title: Updates failing because "db is empty" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1814575/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1814575] Re: Updates failing because "db is empty"
Hello Mathieu, or anyone else affected, Accepted grub2 into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2/2.02+dfsg1-5ubuntu8.2 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: grub2 (Ubuntu Cosmic) Status: New => Fix Committed ** Tags added: verification-needed verification-needed-cosmic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1814575 Title: Updates failing because "db is empty" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1814575/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1814575] Re: Updates failing because "db is empty"
** Description changed:
+ [SRU Justification]
+ There is a behavior regression on some EFI systems with specific firmwares
(right now, Lenovo, X230 and newer are known to be affected), where mokutil
--export --db returns "db is empty" and can lead to no .der certificates being
exported at all. Further steps in grub-check-signatures would thus error out.
+
+ [Test case]
+ Run at least once on a Lenovo T450 (cyphermox).
+
+ 1. Install a system using UEFI mode.
+ 2. Reboot
+ 3. Fully upgrade system.
+ 4. Run 'sudo /usr/share/grub-check-signatures'; verify that it fails (openssl
errors and "db is empty").
+ 5. Install grub* from -proposed.
+ 6. Verify that the upgrade completes successfully.
+
+ [Regression potential]
+ The test case is sufficient to verify all possible paths work correctly after
the SRU, provided it is run on both non-affected systems and affected systems.
+
Fix this:
On some Thinkpads (up to now, no other manufacturers appear to show
this), db can be reported to be empty even though it's not. It seems to
be a firmware issue, but it's one we can work around.
So, fix this type of failure:
Setting up grub-efi-amd64-signed (1.112+2.02+dfsg1-5ubuntu10) ...
db is empty
Can't open *.der for reading, No such file or directory
140033418155072:error:02001002:system library:fopen:No such file or
directory:../crypto/bio/bss_file.c:72:fopen('*.der','rb')
140033418155072:error:2006D080:BIO routines:BIO_new_file:no such
file:../crypto/bio/bss_file.c:79:
unable to load certificate
dpkg: error processing package grub-efi-amd64-signed (--configure):
- installed grub-efi-amd64-signed package post-installation script subprocess
returned error exit status 1
+ installed grub-efi-amd64-signed package post-installation script subprocess
returned error exit status 1
dpkg: dependency problems prevent processing triggers for shim-signed:
- shim-signed depends on grub-efi-amd64-signed | grub-efi-arm64-signed;
however:
- Package grub-efi-amd64-signed is not configured yet.
- Package grub-efi-arm64-signed is not installed.
+ shim-signed depends on grub-efi-amd64-signed | grub-efi-arm64-signed;
however:
+ Package grub-efi-amd64-signed is not configured yet.
+ Package grub-efi-arm64-signed is not installed.
dpkg: error processing package shim-signed (--configure):
- dependency problems - leaving triggers unprocessed
+ dependency problems - leaving triggers unprocessed
Errors were encountered while processing:
- grub-efi-amd64-signed
- shim-signed
+ grub-efi-amd64-signed
+ shim-signed
E: Sub-process /usr/bin/dpkg returned an error code (1)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1814575
Title:
Updates failing because "db is empty"
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1814575/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1814575] Re: Updates failing because "db is empty"
This bug was fixed in the package grub2 - 2.02+dfsg1-5ubuntu11 --- grub2 (2.02+dfsg1-5ubuntu11) disco; urgency=medium [ Mathieu Trudel-Lapierre ] * debian/grub-check-signatures: properly account for DB showing as empty on some broken firmwares: Guard against mokutil --export --db failing, and do a better job at finding the DER certs for conversion to PEM format. (LP: #1814575) [ Steve Langasek ] * debian/patches/quick-boot-lvm.patch: checking the return value of 'lsefi' when the command doesn't exist does not do what's expected, so instead check the value of $grub_platform which is simpler anyway. LP: #1814403. -- Mathieu Trudel-Lapierre Mon, 04 Feb 2019 17:51:15 -0500 ** Changed in: grub2 (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1814575 Title: Updates failing because "db is empty" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1814575/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1814575] Re: Updates failing because "db is empty"
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: grub2 (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1814575 Title: Updates failing because "db is empty" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1814575/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
