install on bionic/arm64 fails with "unsigned kernels" error
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
grub2 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Bionic |
New
|
Undecided
|
Unassigned |
Bug Description
I booted a cloud image w/ SecureBoot disabled, upgraded it to the HWE kernel (required for SecureBoot - LTS kernel isn't signed), then rebooted and turned on SecureBoot. I then enabled proposed and tried to install the updated shim-signed. This brought in the new grub-efi-
Unpacking grub-efi-
~18.04.
Preparing to unpack .../grub-
Package configuration
┌─────
│ │
│ Cannot upgrade Secure Boot enforcement policy due to unsigned kernels │
│ │
│ Your system has UEFI Secure Boot enabled in firmware, and the following │
│ kernels present on your system are unsigned: │
│ │
│ 5.4.0-137-generic │
│ │
│ │
│ These kernels cannot be verified under Secure Boot. To ensure your │
│ system remains bootable, GRUB will not be upgraded on your disk until │
│ these kernels are removed or replaced with signed kernels. │
│ │
│ <Ok> │
│ │
└─────
E: Your kernels are not signed with a key known to your firmware. This system wi
ll fail to boot in a Secure Boot environment.
dpkg: error processing package grub-efi-
installed grub-efi-
That kernel *is* signed - I'm currently booted on it in SecureBoot mode.
ubuntu@ubuntu:~$ uname -a
Linux ubuntu 5.4.0-137-generic #154~18.04.1-Ubuntu SMP Tue Jan 10 16:58:27 UTC 2023 aarch64 aarch64 aarch64 GNU/Linux
ubuntu@ubuntu:~$ sudo mokutil --sb-state
SecureBoot enabled
Strangely, I did not see this when upgrading on focal, jammy, kinetic or lunar.
I suspect grub-check- signatures needs to be taught how to handle vmlinux.gz files like we did for shim's is-not-revoked tool. But I don't know why that would only be an issue on bionic.