[Bug 1202120] New: Can't update my MicroOS as shim post-install script fails with "mokutil: unrecognized option '--set-sbat-policy'"
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1202120
Bug ID: 1202120
Summary: Can't update my MicroOS as shim post-install script
fails with "mokutil: unrecognized option
'--set-sbat-policy'"
Classification: openSUSE
Product: openSUSE Tumbleweed
Version: Current
Hardware: aarch64
OS: openSUSE Tumbleweed
Status: NEW
Severity: Normal
Priority: P5 - None
Component: MicroOS
Assignee: kubic-bugs@opensuse.org
Reporter: fx.houard@gmail.com
QA Contact: qa-bugs@suse.de
Found By: ---
Blocker: ---
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36
Build Identifier:
I try to upgrade my microOS with "transactional-update dup", and it fails every
time with code 107. Apparently the problem is that shim post-install script try
to launch mokutil with the option '--set-sbat-policy' which is not available
with my installation.
"mokutil: unrecognized option '--set-sbat-policy'"
My version of mokutil is :
S | Name | Type | Version | Arch | Repository
---+---------+---------+-----------+---------+------------------------
i+ | mokutil | package | 0.5.0-1.5 | aarch64 | openSUSE-Tumbleweed-Oss
I think it is the latest
The upgrade is openSUSE MicroOS
20220207-0 -> 20220731-0
BTW I get the same error when trying to upgrade the shim package only
(transactional-update pkg update shim).
My version of shim is 15.4-7.4, I can't update it to the suggested version
(15.6-3.1)
Reproducible: Always
Steps to Reproduce:
1.transactional-update pkg update shim or transactional-update dup
2.
3.
Actual Results:
Retrieving: shim-15.6-3.1.aarch64.rpm [.done (1.5 KiB/s)]
(1/1) Installing: shim-15.6-3.1.aarch64 [........
mokutil: unrecognized option '--set-sbat-policy'
Usage:
mokutil OPTIONS [ARGS...]
Options:
--help Show help
--list-enrolled List the enrolled keys
--list-new List the keys to be enrolled
--list-delete List the keys to be deleted
--import <der file...> Import keys
--delete <der file...> Delete specific keys
--revoke-import Revoke the import request
--revoke-delete Revoke the delete request
--export Export keys to files
--password Set MOK password
--clear-password Clear MOK password
--disable-validation Disable signature validation
--enable-validation Enable signature validation
--sb-state Show SecureBoot State
--test-key <der file> Test if the key is enrolled or not
--reset Reset MOK list
--generate-hash[=password] Generate the password hash
--ignore-db Ignore DB for validation
--use-db Use DB for validation
--import-hash <hash> Import a hash into MOK or MOKX
--delete-hash <hash> Delete a hash in MOK or MOKX
--set-verbosity
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1202120
http://bugzilla.opensuse.org/show_bug.cgi?id=1202120#c1
Ignaz Forster
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1202120
http://bugzilla.opensuse.org/show_bug.cgi?id=1202120#c2
Dominique Leuenberger
It seems the corresponding mokutils package will be released only with the next Tumbleweed snapshot: https://build.opensuse.org/request/show/992467. Until then MicroOS will prevent you from updating your system to a broken state ;-)
That means the error is actually in shim - it should have required the proper version of mokutil (or conflict inappropriate versions) to ensure the things get updated in the proper order. At this time not much more we can do than 'wait for things to fall in place'; yet, assigning to Joey to fix the spec file (for future products) -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1202120
http://bugzilla.opensuse.org/show_bug.cgi?id=1202120#c3
--- Comment #3 from Joey Lee
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1202120
http://bugzilla.opensuse.org/show_bug.cgi?id=1202120#c4
--- Comment #4 from Joey Lee
I have sent a submit request to openSUSE:Factory/shim for detecting the --set-sbat-policy before using it:
The change be merged to openSUSE:Factory. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com