Ubuntu
grub2 package

  1. Bug #1789918
  2. Comment #21

Comment 21 for bug 1789918

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Verification-done on bionic with grub2 / grub2-signed:

iF grub-efi-amd64 2.02-2ubuntu8.10 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 version)
ii grub-efi-amd64-bin 2.02-2ubuntu8.10 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 binaries)
ii grub-efi-amd64-signed 1.93.11+2.02-2ubuntu8.10 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 version, signed)

Forcing an unsigned copy of the kernel, or one signed by an unknown key leads to the system failing to upgrade, as expected:

ubuntu@ubuntu:/boot$ sudo cp vmlinuz-4.15.0-44-generic vmlinuz-4.15.0-44-matt
ubuntu@ubuntu:/boot$ sudo sb
sbattach sbkeysync sbsiglist sbsign sbvarsign sbverify
ubuntu@ubuntu:/boot$ sudo sbattach --remove vmlinuz-4.15.0-44-matt

ubuntu@ubuntu:/boot$ sudo apt install --reinstall grub-efi-amd64
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
Need to get 47.0 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 grub-efi-amd64 amd64 2.02-2ubuntu8.10 [47.0 kB]
Fetched 47.0 kB in 0s (112 kB/s)
Preconfiguring packages ...
(Reading database ... 66920 files and directories currently installed.)
Preparing to unpack .../grub-efi-amd64_2.02-2ubuntu8.10_amd64.deb ...
Unpacking grub-efi-amd64 (2.02-2ubuntu8.10) over (2.02-2ubuntu8.10) ...
Setting up grub-efi-amd64 (2.02-2ubuntu8.10) ...
/boot/vmlinuz-4.15.0-44-matt is unsigned.
E: Your kernels are not signed with a key known to your firmware. This system will fail to boot in a Secure Boot environment.
dpkg: error processing package grub-efi-amd64 (--configure):
 installed grub-efi-amd64 package post-installation script subprocess returned error exit status 1
E: Sub-process /usr/bin/dpkg returned an error code (1)

ubuntu@ubuntu:~$ sudo apt install --reinstall grub-efi-amd64
[sudo] password for ubuntu:
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
Need to get 0 B/47.0 kB of archives.
After this operation, 0 B of additional disk space will be used.
Preconfiguring packages ...
(Reading database ... 66920 files and directories currently installed.)
Preparing to unpack .../grub-efi-amd64_2.02-2ubuntu8.10_amd64.deb ...
Unpacking grub-efi-amd64 (2.02-2ubuntu8.10) over (2.02-2ubuntu8.10) ...
Setting up grub-efi-amd64 (2.02-2ubuntu8.10) ...
/boot/vmlinuz-4.15.0-44-matt is signed, but using an unknown key:
        Subject: CN = PPA cyphermox efi
E: Your kernels are not signed with a key known to your firmware. This system will fail to boot in a Secure Boot environment.
dpkg: error processing package grub-efi-amd64 (--configure):
 installed grub-efi-amd64 package post-installation script subprocess returned error exit status 1
Errors were encountered while processing:
 grub-efi-amd64
E: Sub-process /usr/bin/dpkg returned an error code (1)

And a properly signed kernel obviously passes validation with no issues; and does not block upgrade.