[Bug 2064319] Comment bridged from LTC Bugzilla
bugproxy
2064319 at bugs.launchpad.net
Wed Apr 16 05:09:40 UTC 2025
------- Comment From nasastry at in.ibm.com 2025-04-16 01:04 EDT-------
(In reply to comment #15)
> My dev PPA can be added with
> add-apt-repository ppa:mkukri/dev-ppc64el
Thanks for the above command. I could add the above repository but
couldn't install the signed grub.
# add-apt-repository ppa:mkukri/dev-ppc64el
# apt-get update
# apt-cache search grub | grep signed
grub-ieee1275-signed - GRand Unified Bootloader, version 2 (IEEE1275 version, signed)
grub-ieee1275-unsigned - GRand Unified Bootloader, version 2 (Open Firmware monolithic images)
# apt-get install grub-ieee1275-signed
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Solving dependencies... Error!
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:
The following packages have unmet dependencies:
grub-ieee1275-signed : Depends: grub-ieee1275 (= 2.12-5ubuntu7+powersb9) but 2.12-5ubuntu11 is to be installed
E: Unable to correct problems, you have held broken packages.
E: The following information from --solver 3.0 may provide additional context:
Unable to satisfy dependencies. Reached two conflicting decisions:
1. grub-ieee1275:ppc64el=2.12-5ubuntu7+powersb9 is not selected for install
2. grub-ieee1275:ppc64el=2.12-5ubuntu7+powersb9 is selected as a downgrade because:
1. grub-ieee1275-signed:ppc64el=1.209.1+powersb7+2.12-5ubuntu7+powersb9 is selected for install
2. grub-ieee1275-signed:ppc64el Depends grub-ieee1275 (= 2.12-5ubuntu7+powersb9)
What am I missing here?
Thank You.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/2064319
Title:
Power guest secure boot with key management: GRUB2 portion
Status in The Ubuntu-power-systems project:
New
Status in grub2 package in Ubuntu:
New
Bug description:
Covering the GRUB2 portion:
Feature:
This feature comprises PowerVM LPAR guest OS kernel verification using
static keys to extend the chain of trust from partition firmware to
the OS kernel. GRUB and the host OS kernel are signed with 2 separate
public key pairs. Partition firmware includes the the public
verification key for GRUB in its build and uses it to verify GRUB.
GRUB includes the public verification key for the OS kernel in its
build and uses it to verify the OS kernel image
Test case:
If secure boot is switched off, any GRUB and kernel boots.
If secure boot is switched on:
- Properly signed GRUB boots.
- Improperly signed GRUB does not boot.
- Tampered signed GRUB does not boot.
- Properly signed kernels boot.
- Improperly signed kernels do not boot.
- Tampered signed kernels do not boot.
TPM PCRs are extended roughly following the TCG PC Client and UEFI specs as they apply to POWER.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/2064319/+subscriptions
More information about the foundations-bugs
mailing list