--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: grub-efi-arm64: breaks upgrades when the efivarfs is mounted read-only
- From: Andres Salomon <dilinger@queued.net>
- Date: Sun, 11 Jul 2021 16:19:19 -0400
- Message-id: <20210711161919.56044c89@e7470.queued.net>
Package: grub-efi-arm64
Version: 2.04-19
Severity: serious
I experienced the follow on multiple ARM64 systems (both a Rock64
board and a Raspberry Pi 4b board) during an unattended-upgrades run:
Unattended upgrade result: All upgrades installed
Packages that attempted to upgrade:
shim-helpers-arm64-signed shim-signed shim-signed-common shim-unsigned
Packages with upgradable origin but kept back:
Debian testing:
shim-signed shim-helpers-arm64-signed shim-signed-common
Package installation log:
Log started: 2021-07-10 06:16:45
Preparing to unpack .../shim-unsigned_15.4-6_arm64.deb ...
Unpacking shim-unsigned (15.4-6) over (15.4-5) ...
Setting up shim-unsigned (15.4-6) ...
Log ended: 2021-07-10 06:16:50
Log started: 2021-07-10 06:16:51
Preconfiguring packages ...
Preconfiguring packages ...
Preparing to unpack .../shim-signed-common_1.37+15.4-6_all.deb ...
Unpacking shim-signed-common (1.37+15.4-6) over (1.36+15.4-5) ...
Preparing to unpack .../shim-signed_1.37+15.4-6_arm64.deb ...
Unpacking shim-signed:arm64 (1.37+15.4-6) over (1.36+15.4-5) ...
Setting up shim-signed-common (1.37+15.4-6) ...
No DKMS packages installed: not changing Secure Boot validation state.
Setting up shim-signed:arm64 (1.37+15.4-6) ...
Installing for arm64-efi platform.
grub-install: warning: Cannot set EFI variable Boot0000.
grub-install: warning: efivarfs_set_variable: failed to create /sys/firmware/efi/efivars/Boot0000-8be4df61-93ca-11d2-aa0d-00e098032b8c for writing: Read-only file system.
grub-install: warning: _efi_set_variable_mode: ops->set_variable() failed: Read-only file system.
grub-install: error: failed to register the EFI boot entry: Read-only file system.
dpkg: error processing package shim-signed:arm64 (--configure):
installed shim-signed:arm64 package post-installation script subprocess returned error exit status 1
Errors were encountered while processing:
shim-signed:arm64
E:Sub-process /usr/bin/dpkg returned an error code (1)
Log ended: 2021-07-10 06:17:29
Unattended-upgrades log:
Checking if system is running on battery is skipped. Please install powermgmt-base package to check power status and skip installing updates when the system is running on battery.
Starting unattended upgrades script
Allowed origins are: origin=Debian,codename=bullseye,label=Debian, origin=Debian,codename=bullseye,label=Debian-Security, origin=Debian,codename=bullseye-security,label=Debian-Security
Initial blacklist:
Initial whitelist (not strict):
Packages that will be upgraded: shim-helpers-arm64-signed shim-signed shim-signed-common shim-unsigned
Writing dpkg log to /var/log/unattended-upgrades/unattended-upgrades-dpkg.log
Installing the upgrades failed!
error message: installArchives() failed
dpkg returned a error! See /var/log/unattended-upgrades/unattended-upgrades-dpkg.log for details
Package shim-helpers-arm64-signed is kept back because a related package is kept back or due to local apt_preferences(5).
Package shim-signed is kept back because a related package is kept back or due to local apt_preferences(5).
Package shim-signed-common is kept back because a related package is
kept back or due to local apt_preferences(5).
Here's the relevant field in /proc/mounts:
efivarfs /sys/firmware/efi/efivars efivarfs ro,nosuid,nodev,noexec,relatime 0 0
I expect that the reason /sys/firmware/efi/efivars is mounted read-only is
due to bug reports such as the following:
https://github.com/systemd/systemd/issues/2402
It would be preferable for grub to either
a) continue the package postinstall despite efivars being read-only, or
b) remount efivars read-write, update efivars, and then remount ro.
grub-install is being called from shim-helpers-arm64-signed's
postinst. You could argue that shim-helpers-arm64-signed could
remount efivars read-write, but since I can actually trigger the
same error in grub-efi-arm64's postinst, it seems like this should be
fixed in grub:
dilinger@wifi2:~$ sudo dpkg-reconfigure grub-efi-arm64
[sudo] password for dilinger:
Installing for arm64-efi platform.
grub-install: warning: Cannot set EFI variable Boot0000.
grub-install: warning: efivarfs_set_variable: failed to create /sys/firmware/efi/efivars/Boot0000-8be4df61-93ca-11d2-aa0d-00e098032b8c for writing: Read-only file system.
grub-install: warning: _efi_set_variable_mode: ops->set_variable() failed: Read-only file system.
grub-install: error: failed to register the EFI boot entry: Read-only file system.
Failed: grub-install --target=arm64-efi
WARNING: Bootloader is not properly installed, system may not be bootable
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-5.10.0-7-arm64
Found initrd image: /boot/initrd.img-5.10.0-7-arm64
done
--- End Message ---
--- Begin Message ---
Source: shim-signed
Source-Version: 1.38
Done: Steve McIntyre <93sam@debian.org>
We believe that the bug you reported is fixed in the latest version of
shim-signed, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 990984@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steve McIntyre <93sam@debian.org> (supplier of updated shim-signed package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 12 Jul 2021 12:46:52 +0100
Source: shim-signed
Architecture: source
Version: 1.38
Distribution: unstable
Urgency: medium
Maintainer: Debian EFI Team <debian-efi@lists.debian.org>
Changed-By: Steve McIntyre <93sam@debian.org>
Closes: 990984
Changes:
shim-signed (1.38) unstable; urgency=medium
.
* Tweak how we call grub-install; don't abort on error. Not ideal
behaviour either, but don't break upgrades. Copy the behaviour
from the grub packages here. Closes: #990984
* Update build-dep on shim-unsigned to use 15.4-7
Checksums-Sha1:
4084af31839d6a8ae29bc4a70dad848dabf19d00 1808 shim-signed_1.38.dsc
b11ab4940366269a275a731014855326c6cdb56c 559724 shim-signed_1.38.tar.xz
aa62498031247429f541b17741fe72601f9006dd 5605 shim-signed_1.38_source.buildinfo
Checksums-Sha256:
20b75ba564ac288511e6882cb9163183d650f8d7e104c67ff14e9fb03b16db98 1808 shim-signed_1.38.dsc
49ea689fbdf6e3af4b46118516240be3e95ce14d211abbed8641a40b7341477c 559724 shim-signed_1.38.tar.xz
03594c48b6ce29f389237dc46a8fa7a4bfaab1255db2e381d08f67a5bf8f519f 5605 shim-signed_1.38_source.buildinfo
Files:
a9d0780c3550349e4a62770f4a0071c8 1808 utils optional shim-signed_1.38.dsc
ac45dd816ec1a8a98ed32fc5beb6d020 559724 utils optional shim-signed_1.38.tar.xz
46adea695233a29eee62c9026c89bf50 5605 utils optional shim-signed_1.38_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCAAvFiEEzrtSMB1hfpEDkP4WWHl5VzRCaE4FAmDszrwRHDkzc2FtQGRl
Ymlhbi5vcmcACgkQWHl5VzRCaE6sXBAAimTYtcxDohkdInmB/AiEG2ZTZDzrRVrr
HBs7gd+0RuBS69cNdTt4JIBXY40m5m4MqNowLq6vK3u2ktO+3dC8ShLu4+rvuCJm
ww+5f0GzDyGAEbDeBkUcJktiUmFIPp8tgqL815rPVanho9NHXVczpLj7cMKz0Eg9
BpAiOWy0uFaWUEfiHNwmSdHHN/8ngHwEjnOb28A/iDPIHnVItgutxkiq9mgfz7MR
3m5v8FojHxLBpMJSzn4m7RH/RkyBdR/MhSIFR4ko3OpyRwvFUazRHdpUfxMwAHK/
M+sQ1ZxqiHIwVfy0+9RuGfTuQJBDqTPGL95wvhHD57l4sgvGq2pmQ7iHMF2bplSS
2Uk4tzCZFKTFdcd5/+bnk1RlGt4NJGaTRcEjJhAt/Lk5cKfP0BdQbQUCFskXTgRI
6T7EBujzcfLIBO55X32FIY/JcHfvgGZQmAFzfUjt9TBDJwyst00fzvcIB6ifpKCn
fwMCSi67R2xqPuFfLwGUMirnk/l5RT6b6MeDxAdfPVsDMB0MfEPaZL48n76naGC9
2/kGGdmJUcWIJxVdaMFPXT4IeadusbJADsOhXtJbPRT0We2WPdaGK+Ccm+u7Ervg
7UWQnbteeLf81iZ+C52G5X78PC1EimHZoNVpRk8//dxgnzMbGxl7fjm0gbTezqsP
aY9zc3PJqVw=
=PwEh
-----END PGP SIGNATURE-----
--- End Message ---