grub-check-signatures bails about unsigned kernels

Steve Langasek Sun, 30 Sep 2018 21:56:22 -0700

Public bug reported:

$ ls /boot/vmlinuz-*
/boot/vmlinuz-4.4.0-130-generic
/boot/vmlinuz-4.4.0-130-generic.efi.signed
/boot/vmlinuz-4.4.0-133-generic
/boot/vmlinuz-4.4.0-133-generic.efi.signed
/boot/vmlinuz-4.4.0-134-generic
/boot/vmlinuz-4.4.0-134-generic.efi.signed
/boot/vmlinuz-4.4.0-135-generic
/boot/vmlinuz-4.4.0-135-generic.efi.signed
$


On dist-upgrade from xenial to bionic, grub bails with the error:

 │ Cannot upgrade Secure Boot enforcement policy due to unsigned kernels     │ 
 │                                                                           │ 
 │ Your system has UEFI Secure Boot enabled in firmware, and the following   │ 
 │ kernels present on your system are unsigned:                              │ 
 │                                                                           │ 
 │  4.4.0-135-generic                                                        │ 
 │  4.4.0-134-generic                                                        │ 
 │  4.4.0-133-generic                                                        │ 
 │                                                                           │ 
 │                                                                           │ 
 │ These kernels cannot be verified under Secure Boot.  To ensure your       │ 
 │ system remains bootable, GRUB will not be upgraded on your disk until     │ 
 │ these kernels are removed or replaced with signed kernels.                │

This is a false positive, only the -generic files are unsigned, not the
.efi.signed ones; and only the .efi.signed ones are referenced in the
grub.cfg.  So the fact that there are unsigned vmlinuz files in the
directory alongside the signed ones should not block grub from
upgrading.

** Affects: grub2 (Ubuntu)
     Importance: High
         Status: Triaged

** Affects: grub2 (Ubuntu Bionic)
     Importance: Undecided
         Status: New

** Affects: grub2 (Ubuntu Cosmic)
     Importance: High
         Status: Triaged

** Changed in: grub2 (Ubuntu)
   Importance: Undecided => High

** Changed in: grub2 (Ubuntu)
       Status: New => Triaged

** Also affects: grub2 (Ubuntu Cosmic)
   Importance: High
       Status: Triaged

** Also affects: grub2 (Ubuntu Bionic)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1795291

Title:
  xenial->bionic upgrade, /usr/share/grub/grub-check-signatures bails
  about unsigned kernels

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1795291/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1795291] [NEW] xenial->bionic upgrade, /usr/share/grub/grub-check-signatures bails about unsigned kernels

Reply via email to