[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#990966: marked as done (grub-efi-arm64: breaks upgrades when the efivarfs is mounted read-only)



Your message dated Mon, 12 Jul 2021 09:35:32 +0000
with message-id <E1m2sLc-00096W-Nx@fasolo.debian.org>
and subject line Bug#990966: fixed in shim 15.4-7
has caused the Debian Bug report #990966,
regarding grub-efi-arm64: breaks upgrades when the efivarfs is mounted read-only
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
990966: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990966
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: grub-efi-arm64
Version: 2.04-19
Severity: serious


I experienced the follow on multiple ARM64 systems (both a Rock64
board and a Raspberry Pi 4b board) during an unattended-upgrades run:



Unattended upgrade result: All upgrades installed

Packages that attempted to upgrade:
 shim-helpers-arm64-signed shim-signed shim-signed-common shim-unsigned

Packages with upgradable origin but kept back:
 Debian testing:
  shim-signed shim-helpers-arm64-signed shim-signed-common

Package installation log:
Log started: 2021-07-10  06:16:45
Preparing to unpack .../shim-unsigned_15.4-6_arm64.deb ...
Unpacking shim-unsigned (15.4-6) over (15.4-5) ...
Setting up shim-unsigned (15.4-6) ...
Log ended: 2021-07-10  06:16:50

Log started: 2021-07-10  06:16:51
Preconfiguring packages ...
Preconfiguring packages ...
Preparing to unpack .../shim-signed-common_1.37+15.4-6_all.deb ...
Unpacking shim-signed-common (1.37+15.4-6) over (1.36+15.4-5) ...
Preparing to unpack .../shim-signed_1.37+15.4-6_arm64.deb ...
Unpacking shim-signed:arm64 (1.37+15.4-6) over (1.36+15.4-5) ...
Setting up shim-signed-common (1.37+15.4-6) ...
No DKMS packages installed: not changing Secure Boot validation state.
Setting up shim-signed:arm64 (1.37+15.4-6) ...
Installing for arm64-efi platform.
grub-install: warning: Cannot set EFI variable Boot0000.
grub-install: warning: efivarfs_set_variable: failed to create /sys/firmware/efi/efivars/Boot0000-8be4df61-93ca-11d2-aa0d-00e098032b8c for writing: Read-only file system.
grub-install: warning: _efi_set_variable_mode: ops->set_variable() failed: Read-only file system.
grub-install: error: failed to register the EFI boot entry: Read-only file system.
dpkg: error processing package shim-signed:arm64 (--configure):
 installed shim-signed:arm64 package post-installation script subprocess returned error exit status 1
Errors were encountered while processing:
 shim-signed:arm64
E:Sub-process /usr/bin/dpkg returned an error code (1)
Log ended: 2021-07-10  06:17:29

Unattended-upgrades log:
Checking if system is running on battery is skipped. Please install powermgmt-base package to check power status and skip installing updates when the system is running on battery.
Starting unattended upgrades script
Allowed origins are: origin=Debian,codename=bullseye,label=Debian, origin=Debian,codename=bullseye,label=Debian-Security, origin=Debian,codename=bullseye-security,label=Debian-Security
Initial blacklist: 
Initial whitelist (not strict): 
Packages that will be upgraded: shim-helpers-arm64-signed shim-signed shim-signed-common shim-unsigned
Writing dpkg log to /var/log/unattended-upgrades/unattended-upgrades-dpkg.log
Installing the upgrades failed!
error message: installArchives() failed
dpkg returned a error! See /var/log/unattended-upgrades/unattended-upgrades-dpkg.log for details
Package shim-helpers-arm64-signed is kept back because a related package is kept back or due to local apt_preferences(5).
Package shim-signed is kept back because a related package is kept back or due to local apt_preferences(5).
Package shim-signed-common is kept back because a related package is
kept back or due to local apt_preferences(5).


Here's the relevant field in /proc/mounts:
efivarfs /sys/firmware/efi/efivars efivarfs ro,nosuid,nodev,noexec,relatime 0 0


I expect that the reason /sys/firmware/efi/efivars is mounted read-only is
due to bug reports such as the following:
https://github.com/systemd/systemd/issues/2402

It would be preferable for grub to either
a) continue the package postinstall despite efivars being read-only, or
b) remount efivars read-write, update efivars, and then remount ro.

grub-install is being called from shim-helpers-arm64-signed's
postinst. You could argue that shim-helpers-arm64-signed could
remount efivars read-write, but since I can actually trigger the
same error in grub-efi-arm64's postinst, it seems like this should be
fixed in grub:



dilinger@wifi2:~$ sudo dpkg-reconfigure grub-efi-arm64
[sudo] password for dilinger: 
Installing for arm64-efi platform.
grub-install: warning: Cannot set EFI variable Boot0000.
grub-install: warning: efivarfs_set_variable: failed to create /sys/firmware/efi/efivars/Boot0000-8be4df61-93ca-11d2-aa0d-00e098032b8c for writing: Read-only file system.
grub-install: warning: _efi_set_variable_mode: ops->set_variable() failed: Read-only file system.
grub-install: error: failed to register the EFI boot entry: Read-only file system.
Failed: grub-install --target=arm64-efi  
WARNING: Bootloader is not properly installed, system may not be bootable
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-5.10.0-7-arm64
Found initrd image: /boot/initrd.img-5.10.0-7-arm64
done

--- End Message ---
--- Begin Message ---
Source: shim
Source-Version: 15.4-7
Done: Steve McIntyre <93sam@debian.org>

We believe that the bug you reported is fixed in the latest version of
shim, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 990966@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve McIntyre <93sam@debian.org> (supplier of updated shim package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 12 Jul 2021 08:53:54 +0100
Source: shim
Architecture: source
Version: 15.4-7
Distribution: unstable
Urgency: high
Maintainer: Debian EFI team <debian-efi@lists.debian.org>
Changed-By: Steve McIntyre <93sam@debian.org>
Closes: 990966
Changes:
 shim (15.4-7) unstable; urgency=high
 .
   * Tweak how we call grub-install; don't abort on error. Not ideal
     behaviour either, but don't break upgrades. Copy the behaviour
     from the grub packages here. Closes: #990966
Checksums-Sha1:
 229039a622479759a63308bc375b4d19595d516f 2300 shim_15.4-7.dsc
 eecfc6b50ccf9f5051f57ccb15a0a96420717146 34084 shim_15.4-7.debian.tar.xz
 76a11da839762ef4627d1c7849fc459c584b49f5 6054 shim_15.4-7_source.buildinfo
Checksums-Sha256:
 658ee1187a2752ffee1b1d2fe88c952a2e932e2df57e358bdf35386ec54af7ff 2300 shim_15.4-7.dsc
 197e268b07b28eda3a007cdbf8856fa51459982de3e2f1678b92047cb3f20396 34084 shim_15.4-7.debian.tar.xz
 a3feb49caa6465180677e603478daba959da5b0812a29985dae53c3c5a23dd92 6054 shim_15.4-7_source.buildinfo
Files:
 f8448cba72521394e74931b0274ac2d5 2300 admin optional shim_15.4-7.dsc
 920b7b8ebb93d0f4c1763423fac8b31a 34084 admin optional shim_15.4-7.debian.tar.xz
 cd80ea847f8b4bbea87875aa7e110cb9 6054 admin optional shim_15.4-7_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJEBAEBCAAvFiEEzrtSMB1hfpEDkP4WWHl5VzRCaE4FAmDsB78RHDkzc2FtQGRl
Ymlhbi5vcmcACgkQWHl5VzRCaE6TSw/2Ox4dC2YZYJ1vUwzAXmdtMtzUVaY9N1Ag
csxyRnWryKhuKv79GFj0+uKhSt4k9g0+e4/so6h9v+jd0KIl5kqwmrGmclAd1f6n
ZWHtSnu1P1LU++31IZ2xhI1hOpexE41/GI2aLKIle97e3KZXirHTRPQeZ8S78B2e
8en0dl0B4nd7ALwxE8HSgVNWPq67e8ADsifo6fYW2t1dPChymy75TlryE7tWE1fA
jK1mKum1986vDx/00HG3GHcxmsQRxCzueMf8QmJRu6PWhn0QhQ69eN9URe6poGUY
tEgPbFclr7F8LrTPURTdAYgryIDH9n01AFj4Pe2QYP656lqSeQGs4yvlkQX5Sr6s
2OB+utohJg+NNelUXlCGXjOln1D/ZLq+csUHX37t2zxYq1/oiDuQf32lJXM8TIEb
6ijpywI7lcO3VisWrgtHi4dUmZTmEytehxV2YTbud+iLrLvHDad6F3R8BxBY6D2A
MDWAtDjGphySZODG6GwQPucqd51cs/eatJNQ7mcqhAFJFwV8lhKwIo6x0/4KfvWY
L7rm9j2gAWCP5Zh5QLMWEQCYSMBFzSTAJMAwTKqbKdi9YrO6X7EEu42X6HPG/wav
5nhY2+fRLxoiYvBf1Bxc5FAy5NPBEK0mvMdwhl4LAyelo6/fwI88b6A8N5KgI7wb
9LX6GcaTlg==
=rqwF
-----END PGP SIGNATURE-----

--- End Message ---

Reply to: