** Description changed:
+ [SRU Justification]
+ There is a behavior regression on some EFI systems with specific firmwares
(right now, Lenovo, X230 and newer are known to be affected), where mokutil
--export --db returns "db is empty" and can lead to no .der certificates being
exported at all. Further steps in grub-check-signatures would thus error out.
+
+ [Test case]
+ Run at least once on a Lenovo T450 (cyphermox).
+
+ 1. Install a system using UEFI mode.
+ 2. Reboot
+ 3. Fully upgrade system.
+ 4. Run 'sudo /usr/share/grub-check-signatures'; verify that it fails (openssl
errors and "db is empty").
+ 5. Install grub* from -proposed.
+ 6. Verify that the upgrade completes successfully.
+
+ [Regression potential]
+ The test case is sufficient to verify all possible paths work correctly after
the SRU, provided it is run on both non-affected systems and affected systems.
+
Fix this:
On some Thinkpads (up to now, no other manufacturers appear to show
this), db can be reported to be empty even though it's not. It seems to
be a firmware issue, but it's one we can work around.
So, fix this type of failure:
Setting up grub-efi-amd64-signed (1.112+2.02+dfsg1-5ubuntu10) ...
db is empty
Can't open *.der for reading, No such file or directory
140033418155072:error:02001002:system library:fopen:No such file or
directory:../crypto/bio/bss_file.c:72:fopen('*.der','rb')
140033418155072:error:2006D080:BIO routines:BIO_new_file:no such
file:../crypto/bio/bss_file.c:79:
unable to load certificate
dpkg: error processing package grub-efi-amd64-signed (--configure):
- installed grub-efi-amd64-signed package post-installation script subprocess
returned error exit status 1
+ installed grub-efi-amd64-signed package post-installation script subprocess
returned error exit status 1
dpkg: dependency problems prevent processing triggers for shim-signed:
- shim-signed depends on grub-efi-amd64-signed | grub-efi-arm64-signed;
however:
- Package grub-efi-amd64-signed is not configured yet.
- Package grub-efi-arm64-signed is not installed.
+ shim-signed depends on grub-efi-amd64-signed | grub-efi-arm64-signed;
however:
+ Package grub-efi-amd64-signed is not configured yet.
+ Package grub-efi-arm64-signed is not installed.
dpkg: error processing package shim-signed (--configure):
- dependency problems - leaving triggers unprocessed
+ dependency problems - leaving triggers unprocessed
Errors were encountered while processing:
- grub-efi-amd64-signed
- shim-signed
+ grub-efi-amd64-signed
+ shim-signed
E: Sub-process /usr/bin/dpkg returned an error code (1)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1814575
Title:
Updates failing because "db is empty"
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1814575/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
