[Bug 1788727] Re: upgrade crashing due to unsigned kernels

Mathieu Trudel-Lapierre Wed, 03 Oct 2018 12:11:44 -0700

We'll at least address the upgrade process when the same kernel version
exists in both the vmlinuz file, and the vmlinuz.efi.signed file. We
shouldn't fail and thing this is an unsigned kernel when there's
obviously a signed copy of it also on disk, and grub config will use the
.efi.signed version.


** Description changed:

- not surre  happened during upgrade to bionic beaver
+ [Impact]
+ All upgrades on UEFI from xenial to bionic.
+ 
+ [Test case]
+ 1) Install Ubuntu 16.04, on an UEFI system with Secure Boot enabled.
+ 2) Upgrade to 18.04; validate that the upgrade is successful and does not 
fail due to "unsigned kernels" as an error message / debconf prompt.
+ 
+ [Regression Potential]
+ Things to watch out for are continuing with an upgrade from 16.04 to 18.04 
where only unsigned kernels are available, despite the running kernel at 
upgrade-time being included with a .efi.signed file -- if neither the 
.efi.signed file is signed nor the vmlinuz for that particular kernel version, 
the upgrade should fail to avoid letting users upgrade into a non-working 
system.
+ 
+ ---
+ 
+ $ ls /boot/vmlinuz-*
+ /boot/vmlinuz-4.4.0-130-generic
+ /boot/vmlinuz-4.4.0-130-generic.efi.signed
+ /boot/vmlinuz-4.4.0-133-generic
+ /boot/vmlinuz-4.4.0-133-generic.efi.signed
+ /boot/vmlinuz-4.4.0-134-generic
+ /boot/vmlinuz-4.4.0-134-generic.efi.signed
+ /boot/vmlinuz-4.4.0-135-generic
+ /boot/vmlinuz-4.4.0-135-generic.efi.signed
+ $
+ 
+ On dist-upgrade from xenial to bionic, grub bails with the error:
+ 
+  │ Cannot upgrade Secure Boot enforcement policy due to unsigned kernels     │
+  │                                                                           │
+  │ Your system has UEFI Secure Boot enabled in firmware, and the following   │
+  │ kernels present on your system are unsigned:                              │
+  │                                                                           │
+  │  4.4.0-135-generic                                                        │
+  │  4.4.0-134-generic                                                        │
+  │  4.4.0-133-generic                                                        │
+  │                                                                           │
+  │                                                                           │
+  │ These kernels cannot be verified under Secure Boot.  To ensure your       │
+  │ system remains bootable, GRUB will not be upgraded on your disk until     │
+  │ these kernels are removed or replaced with signed kernels.                │
+ 
+ This is a false positive, only the -generic files are unsigned, not the
+ .efi.signed ones; and only the .efi.signed ones are referenced in the
+ grub.cfg.  So the fact that there are unsigned vmlinuz files in the
+ directory alongside the signed ones should not block grub from
+ upgrading.
+ 
+ ---
  
  ProblemType: Package
  DistroRelease: Ubuntu 18.04
  Package: grub-efi-amd64 2.02-2ubuntu8.3
  Uname: Linux 4.7.0-040700-generic x86_64
  NonfreeKernelModules: nvidia
  ApportVersion: 2.20.9-0ubuntu7.2
  Architecture: amd64
  Date: Thu Aug 23 19:33:07 2018
  ErrorMessage: installed grub-efi-amd64 package post-installation script 
subprocess returned error exit status 1
  InstallationDate: Installed on 2018-05-30 (85 days ago)
  InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 
(20160420.1)
  ProcCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.7.0-040700-generic 
root=UUID=d9d727a6-5798-4fe1-8ac0-fb79b1d05431 ro quiet splash vt.handoff=7
  Python3Details: /usr/bin/python3.6, Python 3.6.5, python3-minimal, 
3.6.5-3ubuntu1
  PythonDetails: /usr/bin/python2.7, Python 2.7.15rc1, python-minimal, 
2.7.15~rc1-1
  RelatedPackageVersions:
-  dpkg 1.19.0.5ubuntu2
-  apt  1.6.3ubuntu0.1
+  dpkg 1.19.0.5ubuntu2
+  apt  1.6.3ubuntu0.1
  SourcePackage: grub2
  Title: package grub-efi-amd64 2.02-2ubuntu8.3 failed to install/upgrade: 
installed grub-efi-amd64 package post-installation script subprocess returned 
error exit status 1
  UpgradeStatus: Upgraded to bionic on 2018-08-23 (0 days ago)

** Also affects: grub2 (Ubuntu Bionic)
   Importance: Undecided
       Status: New

** Also affects: grub2 (Ubuntu Cosmic)
   Importance: High
       Status: Triaged

** Changed in: grub2 (Ubuntu Bionic)
       Status: New => Triaged

** Changed in: grub2 (Ubuntu Bionic)
   Importance: Undecided => High

** Changed in: grub2 (Ubuntu Cosmic)
       Status: Triaged => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1788727

Title:
  upgrade crashing due to unsigned kernels

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1788727/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1788727] Re: upgrade crashing due to unsigned kernels

Reply via email to