Bug#990867: shim-helpers-arm64-signed: post-install script fails with 'error exit status 1'

Diederik de Haas didi.debian at cknow.org
Tue Jul 26 23:12:41 BST 2022 

On Sunday, 11 July 2021 17:42:27 CEST Steve McIntyre wrote:
> >If an error is detected, a message like "Look at this wiki page <URL> for
> >possible solutions", with the solution you just provided me (among others),
> >would be really helpful.
> >I've made/attached screenshots which could be used for that.
> 
> I'm adding an extra section to https://wiki.debian.org/UEFI right now,
> at least.

I just ran into this issue again and your solution worked again :-)
But I ran a search in my mail folder(s) to find it again, so a pointer to
that wiki page would still be useful I'd guess.

I didn't get the error message I initially got (not a post-install script 
failure), but I can understand if people get scared when seeing:
"system may not be bootable"

I've learned to ignore that warning, which may not be the response
we'd want to teach our users ;-)
I _think_ that even without the "dpkg-reconfigure" call the system would
still boot, but I didn't verify it (at least this time).

Here's the output I got this time, again on a Rock64 device, but another
one with a recent fresh system install:

root at cs21:~# aptitude safe-upgrade
Resolving dependencies...                
The following NEW packages will be installed:
  linux-image-5.18.0-3-arm64{a} 
The following packages will be upgraded:
  ... shim-helpers-arm64-signed ...
Preparing to unpack .../22-shim-helpers-arm64-signed_1+15.6+1_arm64.deb ...
Unpacking shim-helpers-arm64-signed (1+15.6+1) over (1+15.4+7) ...
Setting up libdouble-conversion3:arm64 (3.2.0-1) ...
Setting up libapparmor1:arm64 (3.0.5-1) ...
Setting up libnewt0.52:arm64 (0.52.21-5+b2) ...
Setting up apt-utils (2.5.2) ...
Setting up shim-helpers-arm64-signed (1+15.6+1) ...
Installing for arm64-efi platform.
grub-install: warning: Cannot set EFI variable Boot0000.
grub-install: warning: efivarfs_set_variable: failed to create /sys/firmware/efi/efivars/Boot0000-8be4df61-93ca-11d2-aa0d-00e098032b8c for writing: Read-only file system.
grub-install: warning: _efi_set_variable_mode: ops->set_variable() failed: Read-only file system.
grub-install: error: failed to register the EFI boot entry: Read-only file system.
Failed: grub-install --target=arm64-efi
WARNING: Bootloader is not properly installed, system may not be bootable
...
Setting up linux-image-5.18.0-3-arm64 (5.18.14-1) ...
I: /vmlinuz.old is now a symlink to boot/vmlinuz-5.18.0-2-arm64
I: /initrd.img.old is now a symlink to boot/initrd.img-5.18.0-2-arm64
I: /vmlinuz is now a symlink to boot/vmlinuz-5.18.0-3-arm64
I: /initrd.img is now a symlink to boot/initrd.img-5.18.0-3-arm64
/etc/kernel/postinst.d/initramfs-tools:
update-initramfs: Generating /boot/initrd.img-5.18.0-3-arm64
W: Possible missing firmware /lib/firmware/rockchip/dptx.bin for module rockchipdrm
I: The initramfs will attempt to resume from /dev/sda2
I: (UUID=f9b86b70-965a-4079-948c-02dd4d016680)
I: Set the RESUME variable to override this.
/etc/kernel/postinst.d/zz-update-grub:
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-5.18.0-3-arm64
Found initrd image: /boot/initrd.img-5.18.0-3-arm64
Found linux image: /boot/vmlinuz-5.18.0-2-arm64
Found initrd image: /boot/initrd.img-5.18.0-2-arm64
Found linux image: /boot/vmlinuz-5.18.0-1-arm64
Found initrd image: /boot/initrd.img-5.18.0-1-arm64
Warning: os-prober will not be executed to detect other bootable partitions.
Systems on them will not be added to the GRUB boot configuration.
Check GRUB_DISABLE_OS_PROBER documentation entry.
Adding boot menu entry for UEFI Firmware Settings ...
done

root at cs21:~# dpkg-reconfigure grub-efi-arm64
Installing for arm64-efi platform.
Installation finished. No error reported.
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-5.18.0-3-arm64
Found initrd image: /boot/initrd.img-5.18.0-3-arm64
Found linux image: /boot/vmlinuz-5.18.0-2-arm64
Found initrd image: /boot/initrd.img-5.18.0-2-arm64
Found linux image: /boot/vmlinuz-5.18.0-1-arm64
Found initrd image: /boot/initrd.img-5.18.0-1-arm64
Warning: os-prober will not be executed to detect other bootable partitions.
Systems on them will not be added to the GRUB boot configuration.
Check GRUB_DISABLE_OS_PROBER documentation entry.
Adding boot menu entry for UEFI Firmware Settings ...
done



On Monday, 12 July 2021 04:32:41 CEST Andres Salomon wrote:
> Should this just do a quick test in the postinst to test that efivarfs
> is mounted r/w?  Something quick like:
> 
>             db_get grub2/update_nvram || RET=true
>             if [ "$RET" = false ]; then
>                 OPTIONS="$OPTIONS --no-nvram"
>             elif [ ! -w /sys/firmware/efi/efivars/ ]; then

root at cs21:~# ls -lh /sys/firmware/efi/
total 0
drwxr-xr-x 2 root root    0 Jun 27 22:16 efivars
-r--r--r-- 1 root root 4.0K Jul 26 23:32 fw_platform_size
drwxr-xr-x 2 root root    0 Jul 26 23:32 mok-variables
-r-------- 1 root root 4.0K Jul 26 23:32 systab
root at cs21:~# ls -lh /sys/firmware/efi/efivars/
total 0
-rw-r--r-- 1 root root  5 Jun 27 22:16 AuditMode-8be4df61-93ca-11d2-aa0d-00e098032b8c
-rw-r--r-- 1 root root  5 Jun 27 22:16 DeployedMode-8be4df61-93ca-11d2-aa0d-00e098032b8c
-rw-r--r-- 1 root root 12 Jun 27 22:16 OsIndicationsSupported-8be4df61-93ca-11d2-aa0d-00e098032b8c
-rw-r--r-- 1 root root 10 Jun 27 22:16 PlatformLang-8be4df61-93ca-11d2-aa0d-00e098032b8c
-rw-r--r-- 1 root root 10 Jun 27 22:16 PlatformLangCodes-8be4df61-93ca-11d2-aa0d-00e098032b8c
-rw-r--r-- 1 root root  5 Jun 27 22:16 SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c
-rw-r--r-- 1 root root  5 Jun 27 22:16 SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c
-rw-r--r-- 1 root root  5 Jun 27 22:16 VendorKeys-8be4df61-93ca-11d2-aa0d-00e098032b8c

root at cs21:~# if [ -w /sys/firmware/efi/efivars/ ]; then 
echo "efivars is writable"; 
else 
echo "efivars is NOT writable"; 
fi
efivars is NOT writable

This surprises me as the efivars dir seems writable by root?

In my initial report I had a "Boot0000-8be4df61-93ca-11d2-aa0d-00e098032b8c"
file (and other BootXYZ-UUID files), which I don't have now.
Interesting that the UUID 'suffix' *is* the same as I had in my initial report.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-grub-devel/attachments/20220727/152f7bba/attachment.sig>

More information about the Pkg-grub-devel mailing list