Bug#990867: shim-helpers-arm64-signed: post-install script fails with 'error exit status 1'

Mon Jul 12 03:32:41 BST 2021

On Sun, 11 Jul 2021 01:31:19 +0100 Steve McIntyre <steve at einval.com>
wrote:
> On Sat, Jul 10, 2021 at 01:48:53AM +0200, Diederik de Haas wrote:
[...]
>  1. To stop your machine failing here, do a "dpkg-reconfigure
>     grub-efi-arm64" and say "yes" to the removable media path question
>     and "no" to the "update boot variables" question. That should
>     solve the immediate problem for you - please shout if it doesn't!
> 
>     Fixing this in the *general* case is hard. We could add code to
>     fall back to *not* updating UEFI boot variables if that fails, but
>     that's likely going to be error-prone and cause trouble on
>     machines where that *should* work but it fails on a temporary
>     basis. Instead, I suspect we may need to replicate similar
>     functionality to flash-kernel and have a list of "quirky" machines
>     where we *don't* expect UEFI boot variables to work. That's messy
>     as all hell, but I'm not sure of a better option. :-/

Should this just do a quick test in the postinst to test that efivarfs
is mounted r/w?  Something quick like:

            db_get grub2/update_nvram || RET=true
            if [ "$RET" = false ]; then
                OPTIONS="$OPTIONS --no-nvram"
            elif [ ! -w /sys/firmware/efi/efivars/ ]; then
                echo "WARNING: can't write to /sys/firmware/efi/efivars/, your system may not be bootable" >&2 
                OPTIONS="$OPTIONS --no-nvram"
            fi

Perhaps a more informative error message, though...

Also, grub-efi-arm64's postinst runs grub-install the following way, and
I feel like the shim stuff could do the same?

run_grub_install()
{
    if ! grub-install $@ ; then
        echo "Failed: grub-install $@" >&2
        echo "WARNING: Bootloader is not properly installed, system may not be bootable" >&2
    fi
}

> 
>  2. To the best of my knowledge, none of the current U-Boot releases
>     support Secure Boot so you may as well remove the shim-signed
>     package anyway. It's normally harmless to include it (so we pull
>     it in via recommends), but on your system it's not going to do
>     anything for you so you may as well remove it.

Worth pointing out that it can't be removed unless one does the
dpkg-reconfigure trick above!  :)

The following packages will be REMOVED:
  mokutil* shim-helpers-arm64-signed* shim-signed* shim-signed-common*
shim-unsigned*
0 upgraded, 0 newly installed, 5 to remove and 0 not upgraded.
2 not fully installed or removed.
After this operation, 3,674 kB disk space will be freed.
Do you want to continue? [Y/n] 
(Reading database ... 23499 files and directories currently installed.)
Removing shim-signed:arm64 (1.37+15.4-6) ...
Installing for arm64-efi platform.
grub-install: warning: Cannot set EFI variable Boot0000.
grub-install: warning: efivarfs_set_variable: failed to create
/sys/firmware/efi/efivars/Boot0000-8be4df61-93ca-11d2-aa0d-00e098032b8c
for writing: Read-only file system.
grub-install: warning: _efi_set_variable_mode: ops->set_variable()
failed: Read-only file system.
grub-install: error: failed to register the EFI boot entry: Read-only
file system.
dpkg: error processing package shim-signed:arm64 (--remove):
 installed shim-signed:arm64 package post-removal script subprocess
 returned error exit status 1