[Bug 1652147] Re: UEFI secure boot fails after 14.04 to 16.04 upgrade

Brian Murray brian at ubuntu.com
Tue Jan 3 17:19:24 UTC 2017 

ubuntu-release-upgrade should disable -proposed to prevent situations
like this.  Please include your the file /var/log/dist-upgrade/main.log
which should contain information about your upgrade from 14.04 to 16.04.

DistUpgradeController.py contains the following code:

 653             # Disable proposed on upgrade to a development release.
 654             if (not entry.disabled and self.options
 655                 and self.options.devel_release == True and
 656                 "%s-proposed" % self.fromDist in entry.dist):
 657                 logging.debug("upgrade to development release, disabling proposed")
 658                 entry.dist = "%s-proposed" % self.toDist
 659                 entry.comment += _("Not for humans during development stage of release %s") % self.toDist
 660                 entry.disabled = True
 661                 continue

So you'd also see the above comment in /etc/apt/sources.list.

** Changed in: shim (Ubuntu)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim in Ubuntu.
https://bugs.launchpad.net/bugs/1652147

Title:
  UEFI secure boot fails after 14.04 to 16.04 upgrade

Status in shim package in Ubuntu:
  New

Bug description:
  I did a release upgrade from fully upgraded Trusty/14.04.x to Xenial/16.04 today (amd64). There was no indication of any problems during the upgrade. Only oddly asking to disable secure boot on the shim level again (already had done this on Trusty). Also I had the proposed pocket enabled in Trusty before doing the upgrade (update-manager).
  After reboot I get a textual error message that "image verification has failed" and I am presented with a menu to select a different UEFI element (this is a Lenovo x230).
  I can disable secure boot in the BIOS and am then able to boot.
  Not sure this is related to the issue but from the system booted without secure boot I tried to run sbverify and it returns the same error for all EFI binaries I tried:

  # sbverify shimx64.efi 
  warning: data remaining[1170360 vs 1289424]: gaps between PE/COFF sections?
  PKCS7 verification failed
  140313718134424:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:pk7_smime.c:336:Verify error:unable to get local issuer certificate
  Signature verification failed

  If there is any other info that is needed, let me know. Or/and if
  there are any steps to resolve the issue, let me know, too.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1652147/+subscriptions

More information about the foundations-bugs mailing list