search

Foxboron / sbctl

:computer: :lock: :key: Secure Boot key manager
MIT License
1.35k stars 71 forks source link

Kernel removal fails if image file is already removed, resulting in multiple installed kernels on fedora #293

Open hboetes opened 3 months ago

hboetes commented 3 months ago

To test sbctl and I reinstalled the kernel quite a few times and got into weird problems, like kernels being installed multiple times, according to dnf.

So to fix it I created the following changes and now dnf reinstall kernel-core works like it should.

I have no idea if that's a valid fix, so let's clear that up first before I create a PR. The first hunk of the diff is just for debugging purposes.

--- ./contrib/kernel-install/91-sbctl.install   2024-02-23 22:10:05.654097343 +0100
+++ /usr/lib/kernel/install.d/91-sbctl.install  2024-03-21 17:46:08.229980568 +0100
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/sh -x
 #  This file is part of sbctl.

 COMMAND="$1"
@@ -39,8 +39,10 @@
    sbctl sign -s "$IMAGE_FILE" 1>/dev/null
    ;;
 remove)
-   [ "$KERNEL_INSTALL_VERBOSE" -gt 0 ] &&
+   if [[ -e "$IMAGE_FILE" ]]; then
+       [ "$KERNEL_INSTALL_VERBOSE" -gt 0 ] &&
        printf 'sbctl: Removing kernel %s from signing database\n' "$IMAGE_FILE"
-   sbctl remove-file "$IMAGE_FILE" 1>/dev/null
+       sbctl remove-file "$IMAGE_FILE" 1>/dev/null
+   fi
    ;;
 esac
sudo dnf reinstall kernel-core
[sudo] password for han: 
Last metadata expiration check: 0:37:10 ago on Thu 21 Mar 2024 05:33:23 PM CET.
Dependencies resolved.
==============================================================================================================================================================================
 Package                                  Architecture                        Version                                      Repository                                    Size
==============================================================================================================================================================================
Reinstalling:
 kernel-core                              x86_64                              6.8.0-63.fc40.1                              updates-testing                               16 M

Transaction Summary
==============================================================================================================================================================================

Total download size: 16 M
Installed size: 66 M
Is this ok [Y/n]: 
Downloading Packages:
kernel-core-6.8.0-63.fc40.1.x86_64.rpm                                                                                                        1.8 MB/s |  16 MB     00:08    
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                         1.6 MB/s |  16 MB     00:10     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                      1/1 
  Reinstalling     : kernel-core-6.8.0-63.fc40.1.x86_64                                                                                                                   1/2 
  Running scriptlet: kernel-core-6.8.0-63.fc40.1.x86_64                                                                                                                   1/2 
  Running scriptlet: kernel-core-6.8.0-63.fc40.1.x86_64                                                                                                                   2/2 
+ COMMAND=remove
+ KERNEL_VERSION=6.8.0-63.fc40.1.x86_64
+ ENTRY_DIR_ABS=/efi/12a1f611b7024771b9b102a13c88175a/6.8.0-63.fc40.1.x86_64
+ KERNEL_IMAGE=
+ IMAGE_FILE=/efi/12a1f611b7024771b9b102a13c88175a/6.8.0-63.fc40.1.x86_64/linux
+ '[' bls = uki ']'
+ case "$COMMAND" in
+ [[ -e /efi/12a1f611b7024771b9b102a13c88175a/6.8.0-63.fc40.1.x86_64/linux ]]
+ '[' 0 -gt 0 ']'
+ sbctl remove-file /efi/12a1f611b7024771b9b102a13c88175a/6.8.0-63.fc40.1.x86_64/linux

  Cleanup          : kernel-core-6.8.0-63.fc40.1.x86_64                                                                                                                   2/2 
  Running scriptlet: kernel-core-6.8.0-63.fc40.1.x86_64                                                                                                                   2/2 
dkms: running auto installation service for kernel 6.8.0-63.fc40.1.x86_64
dkms: autoinstall for kernel 6.8.0-63.fc40.1.x86_64 Done. 
+ COMMAND=add
+ KERNEL_VERSION=6.8.0-63.fc40.1.x86_64
+ ENTRY_DIR_ABS=/efi/12a1f611b7024771b9b102a13c88175a/6.8.0-63.fc40.1.x86_64
+ KERNEL_IMAGE=/lib/modules/6.8.0-63.fc40.1.x86_64/vmlinuz
+ IMAGE_FILE=/efi/12a1f611b7024771b9b102a13c88175a/6.8.0-63.fc40.1.x86_64/linux
+ '[' bls = uki ']'
+ case "$COMMAND" in
+ printf 'sbctl: Signing kernel %s\n' /efi/12a1f611b7024771b9b102a13c88175a/6.8.0-63.fc40.1.x86_64/linux
sbctl: Signing kernel /efi/12a1f611b7024771b9b102a13c88175a/6.8.0-63.fc40.1.x86_64/linux
+ test -d /usr/share/secureboot/keys
+ sbctl sign -s /efi/12a1f611b7024771b9b102a13c88175a/6.8.0-63.fc40.1.x86_64/linux

Reinstalled:
  kernel-core-6.8.0-63.fc40.1.x86_64                                                                                                                                          

Complete!
Time: 0h:00m:58s                                                                                                                                                              
han@it1notebook ~/src/sbctl %  <master> sudo sbctl verify
Verifying file database and EFI images in /efi...
✓ /efi/12a1f611b7024771b9b102a13c88175a/6.8.0-63.fc40.1.x86_64/linux is signed
✓ /efi/12a1f611b7024771b9b102a13c88175a/0-rescue/linux is signed
✓ /efi/EFI/BOOT/BOOTIA32.EFI is signed
✓ /efi/EFI/BOOT/BOOTX64.EFI is signed
✓ /efi/EFI/BOOT/fbia32.efi is signed
✓ /efi/EFI/BOOT/fbx64.efi is signed
✓ /efi/EFI/fedora/fwupdx64.efi is signed
✓ /efi/EFI/fedora/gcdia32.efi is signed
✓ /efi/EFI/fedora/gcdx64.efi is signed
✓ /efi/EFI/fedora/grubia32.efi is signed
✓ /efi/EFI/fedora/grubx64.efi is signed
✓ /efi/EFI/fedora/mmia32.efi is signed
✓ /efi/EFI/fedora/mmx64.efi is signed
✓ /efi/EFI/fedora/shim.efi is signed
✓ /efi/EFI/fedora/shimia32.efi is signed
✓ /efi/EFI/fedora/shimx64.efi is signed
✓ /efi/EFI/systemd/systemd-bootx64.efi is signed
Foxboron commented 3 months ago

I don't really use kernel-install, so if it solves a problem you have please do send a patch :)

hboetes commented 3 months ago

In that case: #294 😎