A few weeks ago, I performed a regular software update on my Ubuntu Server 20.04 LTS using the commands sudo apt update and sudo apt upgrade. Normally, this process finishes without any problems, but this time it froze while setting up secureboot-db. After pressing Crtl+C to stop the update for that package, apt continued with the upgrade and got into some other problems: grub-install couldn't install for x86_64-efi platform.
After a bit of research, I found that others had the same issue and 'solved' it by cancelling the update of the secureboot-db package (https://askubuntu.com/a/1095718). All went fine for the next update: the grub was updated and I could reboot back into Ubuntu without any issues.
Today, I needed to install a new package and thought it was a good idea to apt upgrade before doing that. A few minutes later, I was greeted with a red popup saying:
### Configuring grub-efi-amd64 ###
GRUB failed to install to the following devices: /dev/sda1
Do you want to continue anyway? If you do, your computer may not start up properly.
YES - NO
After selecting NO, it asked me to select the efi partition (which was already selected) and try to install it again. After a few seconds, the red popup returned. Eventually, I pressed YES and the upgrade continued, exiting with 2 failed packages: grub-efi-amd64-signed and shim-signed.
Here is the full output for apt upgrade:
~$ sudo apt upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] Y
Setting up grub-efi-amd64-signed (1.142.8+2.04-1ubuntu26.6) ...
od: /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c: read error: Interrupted system call
/usr/share/grub/grub-check-signatures: 22: [: Illegal number:
dpkg: error processing package grub-efi-amd64-signed (--configure):
installed grub-efi-amd64-signed package post-installation script subprocess returned error exit status 255
dpkg: dependency problems prevent processing triggers for shim-signed:
shim-signed depends on grub-efi-amd64-signed | grub-efi-arm64-signed; however:
Package grub-efi-amd64-signed is not configured yet.
Package grub-efi-arm64-signed is not installed.
dpkg: error processing package shim-signed (--configure):
dependency problems - leaving triggers unprocessed
Errors were encountered while processing:
grub-efi-amd64-signed
shim-signed
E: Sub-process /usr/bin/dpkg returned an error code (1)
So it appears there's an issue reading the EFI variable SecureBoot.
Should I be worried? How can I upgrade these packages without any errors? Will I be able to boot normally?
I haven't rebooted my machine yet, because I'm afraid it might not boot back into Ubuntu.
I've read some other posts and websites, but none address the same issues I have:
- https://stackoverflow.com/q/53203528 is about an error while processing
grub-efi-amd64-signedandshim-signed, but the error message say that there is "no space left on device". I'm getting an error reading an EFI variable. - Errors were encountered while processing: grub-efi-amd64-signed - Ubuntu 20.04.1 LTS also has errors upgrading
grub-efi-amd64-signed, but got the issue resolved by waiting two weeks for a new update. - error processing package grub-efi-amd64-signed ubuntu 20.4 appears to have a similar issue to mine, but doesn't specify any error messages. The error exit status is also different.
- Errors during upgrade from 17.10 to 18.04 (shim-signed and grub-efi-amd64-signed) also has a similar issue, but
grub-installcan't add an entry toBootOrder. - https://wiki.ubuntu.com/UEFI/SecureBoot/Testing gives an overview of how SecureBoot works. Somewhere down on that page, there's a note that says: "IMPORTANT: improperly updating secureboot-db could result in all systems with Secure Boot enabled failing to boot.". I wonder if it was a good idea to remove that package.
I believe SecureBoot is disabled on my machine, but I can't go back and check it, since I might not get back into Ubuntu.
Here are the outputs of some other commands:
~$ sudo grub-install
Installing for x86_64-efi platform.
grub-install: warning: Cannot read EFI Boot* variables.
grub-install: warning: efivarfs_get_variable: read failed: Interrupted system call.
grub-install: warning: efi_get_variable: ops->get_variable failed: Interrupted system call.
grub-install: error: failed to register the EFI boot entry: Interrupted system call.
~$ sudo update-grub
Sourcing file /etc/default/grub' Sourcing file/etc/default/grub.d/init-select.cfg'
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-5.4.0-52-generic
Found initrd image: /boot/initrd.img-5.4.0-52-generic
Found linux image: /boot/vmlinuz-5.4.0-51-generic
Found initrd image: /boot/initrd.img-5.4.0-51-generic
/dev/sdb: open failed: No medium found
/dev/sdb: open failed: No medium found
done
~$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
loop0 7:0 0 55.3M 1 loop /snap/core18/1885
loop1 7:1 0 69.2M 1 loop /snap/lxd/18077
loop2 7:2 0 69.2M 1 loop /snap/lxd/18013
loop3 7:3 0 31M 1 loop /snap/snapd/9721
loop5 7:5 0 31M 1 loop /snap/snapd/9607
loop6 7:6 0 55.4M 1 loop /snap/core18/1932
sda 8:0 0 279.5G 0 disk
├─sda1 8:1 0 512M 0 part /boot/efi
└─sda2 8:2 0 279G 0 part /
sr0 11:0 1 1024M 0 rom
Any help is greatly appreciated!
sudo bootctl --path /boot/efi status– oldfred Nov 02 '20 at 14:39