I'm running Xubuntu 18.04 on my current laptop, as well as my old laptop that I'm trying to sell. I recently installed it on the latter; it's totally clean, no PPAs or extra kernels.

Both systems are Nvidia Optimus laptops, and both were installed in UEFI mode. My current laptop has secure boot turned off. I haven't done anything like that on the old one yet. I have installed nvidia 396 from the graphics-driver PPA on my main laptop, and used nvidia 390 from the official repo on the old laptop. My main laptop has the xanmod kernel and the stock kernel. The old laptop has only the stock kernel.

Both systems experience complete hangs in dpkg while trying to upgrade kernels. The system itself doesn't hang but the upgrade gets stuck. A little bit of terminal sleuthing shows this:

TiZLappy:~$ pgrep dpkg 2499 TiZLappy:~$ pstree -l 2499 dpkg───linux-image-4.1───run-parts───dkms_autoinstal───dkms───dkms───frontend─┬─update-securebo └─whiptail TiZLappy:~$ ps aux | grep securebo root 5146 0.0 0.1 111876 22928 pts/1 S+ 23:57 0:00 /usr/bin/perl -w /usr/share/debconf/frontend /usr/sbin/update-secureboot-policy --enroll-key root 5160 0.0 0.0 4628 1844 pts/1 S+ 23:57 0:00 /bin/sh /usr/sbin/update-secureboot-policy --enroll-key tiz 10409 0.0 0.0 22004 1028 pts/2 S+ 23:59 0:00 grep --color=auto securebo TiZLappy:~$ ps aux | grep whiptail root 5175 0.0 0.0 32356 4252 pts/1 S+ Jul03 0:00 whiptail --backtitle Package configuration --title Configuring Secure Boot --output-fd 12 --nocancel --msgbox Your system has UEFI Secure Boot enabled. UEFI Secure Boot requires additional configuration to work with third-party drivers. The system will assist you in configuring UEFI Secure Boot. To permit the use of third-party drivers, a new Machine-Owner Key (MOK) has been generated. This key now needs to be enrolled in your system's firmware. To ensure that this change is being made by you as an authorized user, and not by an attacker, you must choose a password now and then confirm the change after reboot using the same password, in both the "Enroll MOK" and "Change Secure Boot state" menus that will be presented to you when this system reboots. If you proceed but do not confirm the password upon reboot, Ubuntu will still be able to boot on your system but any hardware that requires third-party drivers to work correctly may not be usable. --scrolltext 21 84 tiz 30605 0.0 0.0 22004 1040 pts/2 S+ 00:07 0:00 grep --color=auto whiptail

So the update-secureboot-policy script is straight up frozen and it's stalling the whole upgrade. I don't know if whiptail is supposed to be presenting some sort of dialog or useful interactible, but it's not; neither on apt, nor on dpkg --configure -a .

Killing these stuck processes doesn't allow the upgrade process to continue with apt.

This behavior is the same on both my main laptop with xanmod and graphics-drivers PPA, and on my old laptop with stock everything, so additional packages can't be blamed for this.