Bug#990966: grub-efi-arm64: breaks upgrades when the efivarfs is mounted read-only

Andres Salomon dilinger at queued.net
Sun Jul 11 21:19:19 BST 2021 

Package: grub-efi-arm64
Version: 2.04-19
Severity: serious


I experienced the follow on multiple ARM64 systems (both a Rock64
board and a Raspberry Pi 4b board) during an unattended-upgrades run:



Unattended upgrade result: All upgrades installed

Packages that attempted to upgrade:
 shim-helpers-arm64-signed shim-signed shim-signed-common shim-unsigned

Packages with upgradable origin but kept back:
 Debian testing:
  shim-signed shim-helpers-arm64-signed shim-signed-common

Package installation log:
Log started: 2021-07-10  06:16:45
Preparing to unpack .../shim-unsigned_15.4-6_arm64.deb ...
Unpacking shim-unsigned (15.4-6) over (15.4-5) ...
Setting up shim-unsigned (15.4-6) ...
Log ended: 2021-07-10  06:16:50

Log started: 2021-07-10  06:16:51
Preconfiguring packages ...
Preconfiguring packages ...
Preparing to unpack .../shim-signed-common_1.37+15.4-6_all.deb ...
Unpacking shim-signed-common (1.37+15.4-6) over (1.36+15.4-5) ...
Preparing to unpack .../shim-signed_1.37+15.4-6_arm64.deb ...
Unpacking shim-signed:arm64 (1.37+15.4-6) over (1.36+15.4-5) ...
Setting up shim-signed-common (1.37+15.4-6) ...
No DKMS packages installed: not changing Secure Boot validation state.
Setting up shim-signed:arm64 (1.37+15.4-6) ...
Installing for arm64-efi platform.
grub-install: warning: Cannot set EFI variable Boot0000.
grub-install: warning: efivarfs_set_variable: failed to create /sys/firmware/efi/efivars/Boot0000-8be4df61-93ca-11d2-aa0d-00e098032b8c for writing: Read-only file system.
grub-install: warning: _efi_set_variable_mode: ops->set_variable() failed: Read-only file system.
grub-install: error: failed to register the EFI boot entry: Read-only file system.
dpkg: error processing package shim-signed:arm64 (--configure):
 installed shim-signed:arm64 package post-installation script subprocess returned error exit status 1
Errors were encountered while processing:
 shim-signed:arm64
E:Sub-process /usr/bin/dpkg returned an error code (1)
Log ended: 2021-07-10  06:17:29

Unattended-upgrades log:
Checking if system is running on battery is skipped. Please install powermgmt-base package to check power status and skip installing updates when the system is running on battery.
Starting unattended upgrades script
Allowed origins are: origin=Debian,codename=bullseye,label=Debian, origin=Debian,codename=bullseye,label=Debian-Security, origin=Debian,codename=bullseye-security,label=Debian-Security
Initial blacklist: 
Initial whitelist (not strict): 
Packages that will be upgraded: shim-helpers-arm64-signed shim-signed shim-signed-common shim-unsigned
Writing dpkg log to /var/log/unattended-upgrades/unattended-upgrades-dpkg.log
Installing the upgrades failed!
error message: installArchives() failed
dpkg returned a error! See /var/log/unattended-upgrades/unattended-upgrades-dpkg.log for details
Package shim-helpers-arm64-signed is kept back because a related package is kept back or due to local apt_preferences(5).
Package shim-signed is kept back because a related package is kept back or due to local apt_preferences(5).
Package shim-signed-common is kept back because a related package is
kept back or due to local apt_preferences(5).


Here's the relevant field in /proc/mounts:
efivarfs /sys/firmware/efi/efivars efivarfs ro,nosuid,nodev,noexec,relatime 0 0


I expect that the reason /sys/firmware/efi/efivars is mounted read-only is
due to bug reports such as the following:
https://github.com/systemd/systemd/issues/2402

It would be preferable for grub to either
a) continue the package postinstall despite efivars being read-only, or
b) remount efivars read-write, update efivars, and then remount ro.

grub-install is being called from shim-helpers-arm64-signed's
postinst. You could argue that shim-helpers-arm64-signed could
remount efivars read-write, but since I can actually trigger the
same error in grub-efi-arm64's postinst, it seems like this should be
fixed in grub:



dilinger at wifi2:~$ sudo dpkg-reconfigure grub-efi-arm64
[sudo] password for dilinger: 
Installing for arm64-efi platform.
grub-install: warning: Cannot set EFI variable Boot0000.
grub-install: warning: efivarfs_set_variable: failed to create /sys/firmware/efi/efivars/Boot0000-8be4df61-93ca-11d2-aa0d-00e098032b8c for writing: Read-only file system.
grub-install: warning: _efi_set_variable_mode: ops->set_variable() failed: Read-only file system.
grub-install: error: failed to register the EFI boot entry: Read-only file system.
Failed: grub-install --target=arm64-efi  
WARNING: Bootloader is not properly installed, system may not be bootable
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-5.10.0-7-arm64
Found initrd image: /boot/initrd.img-5.10.0-7-arm64
done

More information about the Pkg-grub-devel mailing list