Bug ID 1202120
Summary Can't update my MicroOS as shim post-install script fails with "mokutil: unrecognized option '--set-sbat-policy'"
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware aarch64
OS openSUSE Tumbleweed
Status NEW
Severity Normal
Priority P5 - None
Component MicroOS
Assignee kubic-bugs@opensuse.org
Reporter fx.houard@gmail.com
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

User-Agent:       Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
Build Identifier: 

I try to upgrade my microOS with "transactional-update dup", and it fails every
time with code 107. Apparently the problem is that shim post-install script try
to launch mokutil with the option '--set-sbat-policy' which is not available
with my installation.

"mokutil: unrecognized option '--set-sbat-policy'"

My version of mokutil is :
S  | Name    | Type    | Version   | Arch    | Repository
---+---------+---------+-----------+---------+------------------------
i+ | mokutil | package | 0.5.0-1.5 | aarch64 | openSUSE-Tumbleweed-Oss

I think it is the latest

The upgrade is openSUSE MicroOS
  20220207-0 -> 20220731-0

BTW I get the same error when trying to upgrade the shim package only
(transactional-update pkg update shim). 

My version of shim is 15.4-7.4, I can't update it to the suggested version
(15.6-3.1)



Reproducible: Always

Steps to Reproduce:
1.transactional-update pkg update shim or transactional-update dup
2.
3.
Actual Results:  
Retrieving: shim-15.6-3.1.aarch64.rpm [.done (1.5 KiB/s)]
(1/1) Installing: shim-15.6-3.1.aarch64 [........
mokutil: unrecognized option '--set-sbat-policy'
Usage:
  mokutil OPTIONS [ARGS...]
Options:
  --help                Show help
  --list-enrolled            List the enrolled keys
  --list-new                List the keys to be enrolled
  --list-delete                List the keys to be deleted
  --import <der file...>        Import keys
  --delete <der file...>        Delete specific keys
  --revoke-import            Revoke the import request
  --revoke-delete            Revoke the delete request
  --export                Export keys to files
  --password                Set MOK password
  --clear-password            Clear MOK password
  --disable-validation            Disable signature validation
  --enable-validation            Enable signature validation
  --sb-state                Show SecureBoot State
  --test-key <der file>            Test if the key is enrolled or not
  --reset                Reset MOK list
  --generate-hash[=password]        Generate the password hash
  --ignore-db                Ignore DB for validation
  --use-db                Use DB for validation
  --import-hash <hash>            Import a hash into MOK or MOKX
  --delete-hash <hash>            Delete a hash in MOK or MOKX
  --set-verbosity <true/false>        Set the verbosity bit for shim
  --pk                    List the keys in PK
  --kek                    List the keys in KEK
  --db                    List the keys in db
  --dbx                    List the keys in dbx
  --timeout <-1,0..0x7fff>        Set the timeout for MOK prompt
  --sbat                List the entries in SBAT
Supplimentary Options:
  --hash-file <hash file>        Use the specific password hash
  --root-pw                Use the root password
  --mokx                Manipulate the MOK blacklist
  --ca-check                Check if CA of the key is enrolled/blocked
  --ignore-keyring            Don't check if the key is the kernel keyring
warning: %post(shim-15.6-3.1.aarch64) scriptlet failed, exit status 255
........done]
Executing %posttrans script 'shim-15.6-3.1.aarch64.rpm' [....done]
2022-08-03 21:19:37 Application returned with exit status 107.

Expected Results:  
Exit with status 0 :)

My system is a raspberry pi 4b.

You are receiving this mail because: