Bugzilla – Bug 1182640
[Build153.1][aarch64][Installation][SecureBoot][mokutil] Unresolved missing dependency software package prevents host from being installed
Last modified: 2023-05-08 14:22:39 UTC
Created attachment 846426 [details] yast2_installation_screenshots ########## Summary ########## Build153.1 can not be installed on aarch4 host. It reports error: The proposal contains an error that must be resolved before continuing. It seems that default installation with SecureBoot enabled which requires mokutil to be installed as well. But mokutil can not be found in software packages, including Base-System, Desktop-Applications, Server-Applications, Deveopment-Tools, Legacy and Web-Scripting So the installation can not proceed. The only way to proceed is to turn off SecureBoot. Pleas refer to attached yast2_installation_screenshots ########## Reproducibility ########## All the time ########## Steps to reproduce ########## 1.Install Build153.1 on aarch64 host by using yast2 2.Choose KVM server role and Base-System, Desktop-Applications, Server-Applications, Deveopment-Tools, Legacy and Web-Scripting extensions. 2.Keep default installation configurations then click install 3.Installation can not proceed due to error: The proposal contains an error that must be resolved before continuing. ########## Expected Result ########## Installation can proceed as normal ########## Actual Result ########## Installation can not proceed because error The proposal contains an error that must be resolved before continuing. ########## Software Environment ########## 15-SP3 Build153.1 ########## Hardware Environment ########## aarch64 physical host ########## Logs ########## 1.yast2_installation_screenshots 2.y2logs ########## Workaround ########## n/a
Created attachment 846427 [details] y2logs
Created attachment 846476 [details] YaST logs We are seeing this issue with build 154.1 as well, while installing SLES+HA: https://openqa.suse.de/tests/5523884#step/start_install/3 Not sure if related, but openQA reports these errors as a probable cause: https://openqa.suse.de/tests/5523884#step/start_install/188 I am attaching y2log from the SLES+HA installation test. More logs available in the openQA test. This is blocking HA testing on aarch64.
Setting it as P1
mokutil for aarch64 is not part of the media and only included for x86_64. To me it looks like this dependency for the package got added to enable shim in secure boot of aarch64. I am still looking for the added dependency though. We need a package list adjustment to add the aarch64 binary to the media.
This bug shouldn't happen in case secure boot is not active, right?
(In reply to Stefan Weiberg from comment #5) > This bug shouldn't happen in case secure boot is not active, right? Installation can proceed if secure boot is not active(disabled)
(In reply to Wei Chen from comment #7) > (In reply to Stefan Weiberg from comment #5) > > This bug shouldn't happen in case secure boot is not active, right? > > Installation can proceed if secure boot is not active(disabled) Hello Stefan, I can see that on my test setup (virtual machine), the secureboot is disabled by default (UEFI BIOS setting), but I can hit the same issue. So, it seems "hardcode" to enable secureboot for this issue.
Created attachment 846506 [details] vm-screenshot-1
Created attachment 846507 [details] vm-screenshot-2
I believe I am seeing the same issue as reported by Richard in the openqa test: https://openqa.suse.de/tests/5523884 In the serial terminal at https://openqa.suse.de/tests/5523884/file/serial0.txt, the following messages related to secure boot can be seen there while the image is booting: Variable SecureBoot is 0 Variable SecureBootEnable is 0 ... add-symbol-file /home/abuild/rpmbuild/BUILD/edk2-edk2-stable201911/Build/ArmVirtQemu-AARCH64/DEBUG_GCC5/AARCH64/SecurityPkg/VariableAuthenticated/SecureBootConfigDxe/SecureBootConfigDxe/DEBUG/SecureBootConfigDxe.dll 0x7BA3C000 Loading driver at 0x0007BA3B000 EntryPoint=0x0007BA4738C SecureBootConfigDxe.efi ... [ 1.318400] ima: secureboot mode disabled ... [ 8.325810] Loaded X.509 cert 'SUSE Linux Enterprise Secure Boot Signkey: ****' I would say the VM is starting with secure boot disabled and this is being picked up during boot, but then the installer is enabling secure boot. I see the boorloader screen that the secure boot setting is enabled: https://openqa.suse.de/tests/5523884#step/disable_grub_timeout/4 However on older passing tests (Snapshot 10), the same setting was enabled as well: https://openqa.suse.de/tests/5475412#step/disable_grub_timeout/4
Okay, this second part looks like a separate issue to me and not directly related to the original bug. Could you please open another issue with your findings?
(In reply to Stefan Weiberg from comment #12) > Okay, this second part looks like a separate issue to me and not directly > related to the original bug. Could you please open another issue with your > findings? Done: https://bugzilla.suse.com/show_bug.cgi?id=1182749
(In reply to Stefan Weiberg from comment #4) > mokutil for aarch64 is not part of the media and only included for x86_64. > To me it looks like this dependency for the package got added to enable shim > in secure boot of aarch64. I am still looking for the added dependency > though. We need a package list adjustment to add the aarch64 binary to the > media. Indeed, looks related to bug #1182210 - shim was initially missing, too.
Fixed with build156.3
The original issue had already been fixed.