[Bug 1892754] Re: Unable to boot in UEFI+secure boot mode

[Steve Langasek]

Ok, a key point here is that your dbx includes Microsoft's recent
revocations of older grub versions; and an examination of the daily
image shows that it's currently using an old grub signed with the old
key instead of the current grub:

$ sudo kpartx -a ~/devel/iso/groovy-desktop-amd64.iso
$ sudo mount /dev/mapper/loop8p2 /mnt
$ sbattach -d /tmp/grub.sig /mnt/efi/boot/grubx64.efi 
$ openssl pkcs7 -noout -inform DER -in /tmp/grub.sig -print_certs
subject=C = GB, ST = Isle of Man, O = Canonical Ltd., OU = Secure Boot, CN = Canonical Ltd. Secure Boot Signing

issuer=C = GB, ST = Isle of Man, L = Douglas, O = Canonical Ltd., CN =
Canonical Ltd. Master Certificate Authority


$ sudo umount /mnt
$ sudo kpartx -d ~/devel/iso/groovy-desktop-amd64.iso
$

This is not a bug in grub but in the construction of the daily images,
which apparently do not automatically track the current grub.


** Package changed: grub2 (Ubuntu) => cd-boot-images-amd64 (Ubuntu)

** Changed in: cd-boot-images-amd64 (Ubuntu)
       Status: Incomplete => Triaged

** Changed in: cd-boot-images-amd64 (Ubuntu)
       Status: Triaged => Fix Committed

** Changed in: cd-boot-images-amd64 (Ubuntu)
   Importance: Undecided => High

** Changed in: cd-boot-images-amd64 (Ubuntu)
     Assignee: (unassigned) => Steve Langasek (vorlon)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1892754

Title:
  Unable to boot in UEFI+secure boot mode

Status in cd-boot-images-amd64 package in Ubuntu:
  Fix Committed

Bug description:
  The problem:

  Trying to install the QA daily build for Kubuntu Groovy 20200824 -
  when booting from the USB boot media I receive the following error:

  Error

  Verification failed: 
  (0x1A) security violation 

  Followed by an OK box - which when selected offers to import the SHIM
  key

  This error occurred on 2 machines running in UEFI+secure boot mode:

  1: Dell [Inspiron] 3521, (i3-3217U, 4GB, Intel HD Graphics 4000, Intel
  HM76 chipset 10/100 Mbps ethernet controller integrated on system
  board, WiFi 802.11 b/g/N, Bluetooth 4.0, 500 GB hd)

  2: Acer [Aspire] E3-111-P60S (Pent.N3530, 4GB, Intel HD Graphics,
  Realtek  RTL8111/81681/8411 GB Ethernet, Qualcomm Atheros AR9462
  Wireless, Bluetooth Atheros A315-53, 500 GB hd)

  Disabling secure boot the machines then boot normally in UEFI mode

  Will test further some of the other flavors..

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cd-boot-images-amd64/+bug/1892754/+subscriptions