[Bug 1786491] Re: grub2 verify signed kernel exists or abort upgrade

Julian Andres Klode 1786491 at bugs.launchpad.net
Tue Aug 14 11:01:34 UTC 2018 

Installed -ubuntu8.3 / signed 1.93.4 from proposed and ran some tests. I
fixed the script to use a different dir instead of
/sys/firmware/efi/efivars and created deleted the flags for secure boot
in there, as I could not get my container to read from the original dir,
even after bind mounting mock files/dirs.

On a secure boot system (mock: copied SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c from host):
* Install grub-efi-amd64{,signed} and signed kernel => installs

PASS   (mock: copied signed host kernel to container)

* Install grub-efi-amd64{,signed} and only unsigned kernel => prevents

PASS   (mock: created empty vmlinuz-$(uname -r) in /boot/)

On a non-secure-boot system (mock: deleted SecureBoot-8be4df61-93ca-11d2
-aa0d-00e098032b8c):

* Install grub-efi-amd64{,signed} and only unsigned kernel => installs

PASS   (mock: created empty vmlinuz-$(uname -r) in /boot/)

** Tags removed: verification-needed verification-needed-bionic
** Tags added: verification-done verification-done-bionic

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1786491

Title:
  grub2 verify signed kernel exists or abort upgrade

Status in grub2 package in Ubuntu:
  Fix Released
Status in grub2-signed package in Ubuntu:
  Fix Released
Status in grub2 source package in Bionic:
  Fix Committed
Status in grub2-signed source package in Bionic:
  Fix Committed
Status in grub2 source package in Cosmic:
  Fix Released
Status in grub2-signed source package in Cosmic:
  Fix Released

Bug description:
  [Impact]
  grub2 should fail to install if no signed kernels exist

  [Test case]
  On a secure boot system:
  * Install grub-efi-amd64{,signed} and signed kernel => installs
  * Install grub-efi-amd64{,signed} and only unsigned kernel => prevents
  On a non-secure-boot system:
  * Install grub-efi-amd64{,signed} and only unsigned kernel => installs

  [Regression potential]
  Upgrades can break.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1786491/+subscriptions

More information about the foundations-bugs mailing list