Bug#990867: shim-helpers-arm64-signed: post-install script fails with 'error exit status 1'
Control: reassign -1 grub-efi-arm64
(ish)
Hi Diederik,
On Sat, Jul 10, 2021 at 01:48:53AM +0200, Diederik de Haas wrote:
>Package: shim-helpers-arm64-signed
>Version: 1+15.4+6
>Severity: important
>
>Running 'aptitude safe-upgrade' on my Bullseye/Sid/Experimental system
>fails:
>
>Unpacking shim-unsigned (15.4-6) over (15.4-5) ...
>Preparing to unpack .../3-shim-helpers-arm64-signed_1+15.4+6_arm64.deb ...
>Unpacking shim-helpers-arm64-signed (1+15.4+6) over (1+15.4+5) ...
>Preparing to unpack .../4-shim-signed-common_1.37+15.4-6_all.deb ...
>Unpacking shim-signed-common (1.37+15.4-6) over (1.36+15.4-5) ...
>Preparing to unpack .../5-shim-signed_1.37+15.4-6_arm64.deb ...
>Unpacking shim-signed:arm64 (1.37+15.4-6) over (1.36+15.4-5) ...
>Setting up libuv1:arm64 (1.40.0-2) ...
>Setting up shim-signed-common (1.37+15.4-6) ...
>No DKMS packages installed: not changing Secure Boot validation state.
>Setting up udev (249-1) ...
>Setting up python3-urllib3 (1.26.5-1~exp1) ...
>Setting up shim-unsigned (15.4-6) ...
>Setting up shim-helpers-arm64-signed (1+15.4+6) ...
>Installing for arm64-efi platform.
>grub-install: warning: Cannot set EFI variable Boot0000.
>grub-install: warning: efivarfs_set_variable: failed to open /sys/firmware/efi/efivars/Boot0000-8be4df61-93ca-11d2-aa0d-00e098032b8c for writing: Read-only file system.
>grub-install: warning: _efi_set_variable_mode: ops->set_variable() failed: Read-only file system.
>grub-install: error: failed to register the EFI boot entry: Read-only file system.
>dpkg: error processing package shim-helpers-arm64-signed (--configure):
> installed shim-helpers-arm64-signed package post-installation script subprocess returned error exit status 1
>dpkg: dependency problems prevent configuration of shim-signed:arm64:
> shim-signed:arm64 depends on shim-helpers-arm64-signed (>= 1+15.4+2); however:
> Package shim-helpers-arm64-signed is not configured yet.
Right,
The maintainer scripts for the shim-signed packages now explicitly
calls grub-install to make sure that shim is added/removed from the
boot chain as appropriate. The errors you're seeing are from
grub-install, and that's where the problem is showing up.
AFAICS grub-install is failing to update due to the *real* underlying
problem, which is that your platform is running firmware which
implements UEFI but that UEFI support isn't working for writing UEFI
boot variables. You're using U-Boot, I assume?
So, here's a few thoughts:
1. To stop your machine failing here, do a "dpkg-reconfigure
grub-efi-arm64" and say "yes" to the removable media path question
and "no" to the "update boot variables" question. That should
solve the immediate problem for you - please shout if it doesn't!
Fixing this in the *general* case is hard. We could add code to
fall back to *not* updating UEFI boot variables if that fails, but
that's likely going to be error-prone and cause trouble on
machines where that *should* work but it fails on a temporary
basis. Instead, I suspect we may need to replicate similar
functionality to flash-kernel and have a list of "quirky" machines
where we *don't* expect UEFI boot variables to work. That's messy as
all hell, but I'm not sure of a better option. :-/
2. To the best of my knowledge, none of the current U-Boot releases
support Secure Boot so you may as well remove the shim-signed
package anyway. It's normally harmless to include it (so we pull
it in via recommends), but on your system it's not going to do
anything for you so you may as well remove it.
OK?
--
Steve McIntyre, Cambridge, UK. steve@einval.com
"... the premise [is] that privacy is about hiding a wrong. It's not.
Privacy is an inherent human right, and a requirement for maintaining
the human condition with dignity and respect."
-- Bruce Schneier
Reply to: