[Bug 1786491] Re: grub2 verify signed kernel exists or abort upgrade
This bug was fixed in the package grub2-signed - 1.93.4 --- grub2-signed (1.93.4) bionic; urgency=medium * Rebuild against grub2 2.02-2ubuntu8.3 and check kernel is signed on amd64 EFI before installing grub (LP: #1786491). -- Julian Andres Klode Mon, 13 Aug 2018 12:51:32 +0200 ** Changed in: grub2-signed (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1786491 Title: grub2 verify signed kernel exists or abort upgrade To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1786491/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1786491] Re: grub2 verify signed kernel exists or abort upgrade
This bug was fixed in the package grub2 - 2.02-2ubuntu8.3 --- grub2 (2.02-2ubuntu8.3) bionic; urgency=medium * Verify that the current and newer kernels are signed when grub is updated, to make sure people do not accidentally shutdown without a signed kernel. (LP: #1786491) -- Julian Andres Klode Fri, 13 Jul 2018 15:21:48 +0200 ** Changed in: grub2 (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1786491 Title: grub2 verify signed kernel exists or abort upgrade To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1786491/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1786491] Re: grub2 verify signed kernel exists or abort upgrade
Installed -ubuntu8.3 / signed 1.93.4 from proposed and ran some tests. I fixed the script to use a different dir instead of /sys/firmware/efi/efivars and created deleted the flags for secure boot in there, as I could not get my container to read from the original dir, even after bind mounting mock files/dirs. On a secure boot system (mock: copied SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c from host): * Install grub-efi-amd64{,signed} and signed kernel => installs PASS (mock: copied signed host kernel to container) * Install grub-efi-amd64{,signed} and only unsigned kernel => prevents PASS (mock: created empty vmlinuz-$(uname -r) in /boot/) On a non-secure-boot system (mock: deleted SecureBoot-8be4df61-93ca-11d2 -aa0d-00e098032b8c): * Install grub-efi-amd64{,signed} and only unsigned kernel => installs PASS (mock: created empty vmlinuz-$(uname -r) in /boot/) ** Tags removed: verification-needed verification-needed-bionic ** Tags added: verification-done verification-done-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1786491 Title: grub2 verify signed kernel exists or abort upgrade To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1786491/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1786491] Re: grub2 verify signed kernel exists or abort upgrade
Hello Julian, or anyone else affected, Accepted grub2-signed into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-signed/1.93.4 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Changed in: grub2-signed (Ubuntu Bionic) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1786491 Title: grub2 verify signed kernel exists or abort upgrade To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1786491/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1786491] Re: grub2 verify signed kernel exists or abort upgrade
Hello Julian, or anyone else affected, Accepted grub2 into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2/2.02-2ubuntu8.3 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Changed in: grub2 (Ubuntu Bionic) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1786491 Title: grub2 verify signed kernel exists or abort upgrade To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1786491/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1786491] Re: grub2 verify signed kernel exists or abort upgrade
** Description changed: [Impact] grub2 should fail to install if no signed kernels exist [Test case] - TODO + On a secure boot system: + * Install grub-efi-amd64{,signed} and signed kernel => installs + * Install grub-efi-amd64{,signed} and only unsigned kernel => prevents + On a non-secure-boot system: + * Install grub-efi-amd64{,signed} and only unsigned kernel => installs [Regression potential] Upgrades can break. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1786491 Title: grub2 verify signed kernel exists or abort upgrade To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1786491/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1786491] Re: grub2 verify signed kernel exists or abort upgrade
** Changed in: grub2-signed (Ubuntu Bionic) Status: Triaged => In Progress ** Changed in: grub2 (Ubuntu Bionic) Status: Triaged => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1786491 Title: grub2 verify signed kernel exists or abort upgrade To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1786491/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1786491] Re: grub2 verify signed kernel exists or abort upgrade
** Tags added: id-5acce45de43bb8c279b5bec8 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1786491 Title: grub2 verify signed kernel exists or abort upgrade To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1786491/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1786491] Re: grub2 verify signed kernel exists or abort upgrade
This bug was fixed in the package grub2-signed - 1.102 --- grub2-signed (1.102) cosmic; urgency=medium * Call grub-check-signatures before calling grub-install, not after, to avoid overwriting the boot loader on disk with one that will fail to load. LP: #1786491. -- Steve Langasek Fri, 10 Aug 2018 12:28:40 -0700 ** Changed in: grub2-signed (Ubuntu Cosmic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1786491 Title: grub2 verify signed kernel exists or abort upgrade To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1786491/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1786491] Re: grub2 verify signed kernel exists or abort upgrade
** Changed in: grub2-signed (Ubuntu Cosmic) Status: Triaged => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1786491 Title: grub2 verify signed kernel exists or abort upgrade To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1786491/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1786491] Re: grub2 verify signed kernel exists or abort upgrade
grub2-signed in cosmic still runs the checking script too late (after grub-install instead of before), that needs to be fixed first. ** Changed in: grub2-signed (Ubuntu Cosmic) Status: Fix Released => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1786491 Title: grub2 verify signed kernel exists or abort upgrade To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1786491/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs