[Bug 1795291] [NEW] xenial->bionic upgrade, /usr/share/grub/grub-check-signatures bails about unsigned kernels
Steve Langasek
steve.langasek at canonical.com
Mon Oct 1 04:48:49 UTC 2018
Public bug reported:
$ ls /boot/vmlinuz-*
/boot/vmlinuz-4.4.0-130-generic
/boot/vmlinuz-4.4.0-130-generic.efi.signed
/boot/vmlinuz-4.4.0-133-generic
/boot/vmlinuz-4.4.0-133-generic.efi.signed
/boot/vmlinuz-4.4.0-134-generic
/boot/vmlinuz-4.4.0-134-generic.efi.signed
/boot/vmlinuz-4.4.0-135-generic
/boot/vmlinuz-4.4.0-135-generic.efi.signed
$
On dist-upgrade from xenial to bionic, grub bails with the error:
│ Cannot upgrade Secure Boot enforcement policy due to unsigned kernels │
│ │
│ Your system has UEFI Secure Boot enabled in firmware, and the following │
│ kernels present on your system are unsigned: │
│ │
│ 4.4.0-135-generic │
│ 4.4.0-134-generic │
│ 4.4.0-133-generic │
│ │
│ │
│ These kernels cannot be verified under Secure Boot. To ensure your │
│ system remains bootable, GRUB will not be upgraded on your disk until │
│ these kernels are removed or replaced with signed kernels. │
This is a false positive, only the -generic files are unsigned, not the
.efi.signed ones; and only the .efi.signed ones are referenced in the
grub.cfg. So the fact that there are unsigned vmlinuz files in the
directory alongside the signed ones should not block grub from
upgrading.
** Affects: grub2 (Ubuntu)
Importance: High
Status: Triaged
** Affects: grub2 (Ubuntu Bionic)
Importance: Undecided
Status: New
** Affects: grub2 (Ubuntu Cosmic)
Importance: High
Status: Triaged
** Changed in: grub2 (Ubuntu)
Importance: Undecided => High
** Changed in: grub2 (Ubuntu)
Status: New => Triaged
** Also affects: grub2 (Ubuntu Cosmic)
Importance: High
Status: Triaged
** Also affects: grub2 (Ubuntu Bionic)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1795291
Title:
xenial->bionic upgrade, /usr/share/grub/grub-check-signatures bails
about unsigned kernels
Status in grub2 package in Ubuntu:
Triaged
Status in grub2 source package in Bionic:
New
Status in grub2 source package in Cosmic:
Triaged
Bug description:
$ ls /boot/vmlinuz-*
/boot/vmlinuz-4.4.0-130-generic
/boot/vmlinuz-4.4.0-130-generic.efi.signed
/boot/vmlinuz-4.4.0-133-generic
/boot/vmlinuz-4.4.0-133-generic.efi.signed
/boot/vmlinuz-4.4.0-134-generic
/boot/vmlinuz-4.4.0-134-generic.efi.signed
/boot/vmlinuz-4.4.0-135-generic
/boot/vmlinuz-4.4.0-135-generic.efi.signed
$
On dist-upgrade from xenial to bionic, grub bails with the error:
│ Cannot upgrade Secure Boot enforcement policy due to unsigned kernels │
│ │
│ Your system has UEFI Secure Boot enabled in firmware, and the following │
│ kernels present on your system are unsigned: │
│ │
│ 4.4.0-135-generic │
│ 4.4.0-134-generic │
│ 4.4.0-133-generic │
│ │
│ │
│ These kernels cannot be verified under Secure Boot. To ensure your │
│ system remains bootable, GRUB will not be upgraded on your disk until │
│ these kernels are removed or replaced with signed kernels. │
This is a false positive, only the -generic files are unsigned, not
the .efi.signed ones; and only the .efi.signed ones are referenced in
the grub.cfg. So the fact that there are unsigned vmlinuz files in
the directory alongside the signed ones should not block grub from
upgrading.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1795291/+subscriptions
More information about the foundations-bugs
mailing list