[Bug 1789918] Re: grub2 signed kernel enforcement doesn't check on upgrade that signatures are from trusted keys

Mon, 01 Apr 2019 14:26:10 -0700 

Verification-done on trusty:

ubuntu@dashing-moccasin:~$ apt-cache policy grub-efi-amd64-signed
grub-efi-amd64-signed:
  Installed: 1.34.20+2.02~beta2-9ubuntu1.17
  Candidate: 1.34.20+2.02~beta2-9ubuntu1.17
  Package pin: 1.34.20+2.02~beta2-9ubuntu1.17
  Version table:
 *** 1.34.20+2.02~beta2-9ubuntu1.17 500
         -1 http://archive.ubuntu.com/ubuntu/ trusty-proposed/main amd64 
Packages
        100 /var/lib/dpkg/status
     1.34.18+2.02~beta2-9ubuntu1.16 500
        500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
     1.34.7+2.02~beta2-9ubuntu1.6 500
        500 http://archive.ubuntu.com/ubuntu/ trusty-security/main amd64 
Packages
     1.34+2.02~beta2-9 500
        500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
ubuntu@dashing-moccasin:~$ apt-cache policy grub-efi-amd64
grub-efi-amd64:
  Installed: 2.02~beta2-9ubuntu1.17
  Candidate: 2.02~beta2-9ubuntu1.17
  Package pin: 2.02~beta2-9ubuntu1.17
  Version table:
 *** 2.02~beta2-9ubuntu1.17 500
         -1 http://archive.ubuntu.com/ubuntu/ trusty-proposed/main amd64 
Packages
        100 /var/lib/dpkg/status
     2.02~beta2-9ubuntu1.16 500
        500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
     2.02~beta2-9ubuntu1.6 500
        500 http://archive.ubuntu.com/ubuntu/ trusty-security/main amd64 
Packages
     2.02~beta2-9 500
        500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages


Verified that now the kernel signature is correctly enforced by grub, and if no 
kernel is signed / signed by a trusted key, the upgrade will correctly be 
failed to avoid leaving the system unbootable.

** Tags removed: verification-needed verification-needed-trusty
** Tags added: verification-done-trusty

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1789918

Title:
  grub2 signed kernel enforcement doesn't check on upgrade that
  signatures are from trusted keys

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1789918/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to