This bug was fixed in the package shim-signed - 1.32~14.04.2
---------------
shim-signed (1.32~14.04.2) trusty; urgency=medium
* Backport shim-signed 1.32 to 14.04. (LP: #1700170)
shim-signed (1.32) artful; urgency=medium
* Handle cleanup of /var/lib/shim-signed on package purge.
shim-signed (1.31) artful; urgency=medium
* Fix regression in postinst when /var/lib/dkms does not exist.
(LP #1700195)
* Sort the list of dkms modules when recording.
shim-signed (1.30) artful; urgency=medium
* update-secureboot-policy: track the installed DKMS modules so we can skip
failing unattended upgrades if they hasn't changed (ie. if no new DKMS
modules have been installed, just honour the user's previous decision to
not disable shim validation). (LP: #1695578)
* update-secureboot-policy: allow re-enabling shim validation when no DKMS
packages are installed. (LP: #1673904)
* debian/source_shim-signed.py: add the textual representation of SecureBoot
and MokSBStateRT EFI variables rather than just adding the files directly;
also, make sure we include the relevant EFI bits from kernel log.
(LP: #1680279)
shim-signed (1.29) artful; urgency=medium
* Makefile: Generate BOOT$arch.CSV, for use with fallback.
* debian/rules: make sure we can do per-arch EFI files.
shim-signed (1.28) zesty; urgency=medium
* Adjust apport hook to include key files that tell us about the system's
current SB state. LP: #1680279.
shim-signed (1.27) zesty; urgency=medium
[ Steve Langasek ]
* Update to the signed 0.9+1474479173.6c180c6-1ubuntu1 binary from
Microsoft.
* update-secureboot-policy:
- detect when we have no debconf prompting and error out instead of ending
up in an infinite loop. LP: #1673817.
- refactor to make the code easier to follow.
- remove a confusing boolean that would always re-prompt on a request to
--enable, but not on a request to --disable.
[ Mathieu Trudel-Lapierre ]
* update-secureboot-policy:
- some more fixes to properly handle non-interactive mode. (LP: #1673817)
shim-signed (1.23) zesty; urgency=medium
* debian/control: bump the Depends on grub2-common since that's needed to
install with the new updated EFI binaries filenames.
shim-signed (1.22) yakkety; urgency=medium
* Update to the signed 0.9+1474479173.6c180c6-0ubuntu1 binary from Microsoft.
* Update paths now that the shim binary has been renamed to include the
target architecture.
* debian/shim-signed.postinst: clean up old MokManager.efi from EFI/ubuntu;
since it's being replaced by mm$arch.efi.
shim-signed (1.21.3) vivid; urgency=medium
* No-change rebuild for shim 0.9+1465500757.14a5905.is.0.8-0ubuntu3.
shim-signed (1.21.2) vivid; urgency=medium
* Revert to signed shim from 0.8-0ubuntu2.
- shim.efi.signed originally built from shim 0.8-0ubuntu2 in wily.
shim-signed (1.20) yakkety; urgency=medium
* Update to the signed 0.9+1465500757.14a5905-0ubuntu1 binary from Microsoft.
(LP: #1581299)
-- Mathieu Trudel-Lapierre <cypher...@ubuntu.com> Mon, 10 Jul 2017
20:29:28 -0400
** Changed in: shim-signed (Ubuntu Trusty)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unattended-upgrades in
Ubuntu.
https://bugs.launchpad.net/bugs/1673817
Title:
update-secure-boot-policy behaving badly with unattended-upgrades
Status in shim-signed package in Ubuntu:
Fix Released
Status in unattended-upgrades package in Ubuntu:
Invalid
Status in shim-signed source package in Trusty:
Fix Released
Status in unattended-upgrades source package in Trusty:
Invalid
Status in shim-signed source package in Xenial:
Fix Released
Status in unattended-upgrades source package in Xenial:
Invalid
Status in shim-signed source package in Yakkety:
Fix Released
Status in unattended-upgrades source package in Yakkety:
Invalid
Bug description:
[Impact]
Any user with unattended upgrades enabled and DKMS packages in a Secure Boot
environment might be prompted to change Secure Boot policy, which will fail and
crash in unattended-upgrades.
[Test case]
= unattended upgrade =
1) Create /var/lib/dkms/TEST-DKMS
2) Install new package
3) Trigger unattended-upgrades: unattended-upgrades -d
Upgrade should run smoothly for all the processing but fail to
complete; shim-signed should end the unattended upgrade with a error
as unattended change of the Secure Boot policy can not be done.
Upgrade should not hang in high CPU usage.
= standard upgrade =
1) Create /var/lib/dkms/TEST-DKMS
2) install new package.
3) Verify that the upgrade completes normally.
[Regression Potential]
Any failure to prompt for or change Secure Boot policy in mokutil while in an
*attended* upgrade scenario would constitute a regression of this SRU.
Any other issues related to booting in Secure Boot mode should instead
be directed to bug 1637290 (shim update).
---
Currently, unattended-upgrades will automatically install all updates
for those running development releases of Ubuntu (LP: #1649709)
Today, my computer was acting very sluggish. Looking at my process
list, I saw/ usr/sbin/update-secureboot-policy was using a log of CPU.
I killed the process. I have a /var/crash/shim-signed.0.crash but
since it's 750 MB, I didn't bother submitting it or looking at it
more. Maybe it crashed because I killed the process. Also, I see that
unattended-upgrades-dpkg.log is 722 MB.
Today's update included both VirtualBox and the linux kernel.
I am attaching an excerpt of /var/log/unattended-upgrades/unattended-
upgrades-dpkg.log
This message was repeated a very large number of times (but I only
included it once in the attachment:
"Invalid password
The Secure Boot key you've entered is not valid. The password used must be
between 8 and 16 characters."
ProblemType: Bug
DistroRelease: Ubuntu 17.04
Package: shim-signed 1.23+0.9+1474479173.6c180c6-0ubuntu1
ProcVersionSignature: Ubuntu 4.10.0-11.13-generic 4.10.1
Uname: Linux 4.10.0-11-generic x86_64
NonfreeKernelModules: zfs zunicode zavl zcommon znvpair
ApportVersion: 2.20.4-0ubuntu2
Architecture: amd64
CurrentDesktop: GNOME
Date: Fri Mar 17 11:15:04 2017
EcryptfsInUse: Yes
InstallationDate: Installed on 2017-02-23 (21 days ago)
InstallationMedia: Ubuntu-GNOME 17.04 "Zesty Zapus" - Alpha amd64 (20170219)
SourcePackage: shim-signed
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1673817/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
