Public bug reported: I have a strange problem with secure boot and self-signed kernels. On 20.10 I was able to boot (everything with Secure Boot) both canonical- signed and self-signed kernels. After upgrade to 21.04 loading self- signed kernels doesn't work anymore: I get "vmlinuz has invalid signature" error. The error seems clear enough, but:
- Secure Boot is on and grub loads just fine and loads canonical-signed kernels 100% fine (so it's something about my singing key, right?) - my custom key seems to be enrolled into mok db just fine ``` root@T495:~# mokutil --test-key /root/mok/MOK.der mok/MOK.der is already enrolled ``` - image is signed with the same key as checked above with mokutil ``` sudo sbsign --key /root/mok/MOK.priv --cert /root/mok/MOK.pem /boot/vmlinuz-5.13.3-051303-generic --output /boot/vmlinuz-5.13.3-051303-generic Image was already signed; adding additional signature ``` Seems a bug in grub, but I don't know how to debug it. ProblemType: Bug DistroRelease: Ubuntu 21.04 Package: grub-efi-amd64-signed 1.169+2.04-1ubuntu45 ProcVersionSignature: Ubuntu 5.11.0-31.33-generic 5.11.22 Uname: Linux 5.11.0-31-generic x86_64 ApportVersion: 2.20.11-0ubuntu65.1 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Mon Sep 6 10:30:02 2021 InstallationDate: Installed on 2019-12-07 (638 days ago) InstallationMedia: Ubuntu 19.10 "Eoan Ermine" - Release amd64 (20191017) SourcePackage: grub2-signed UpgradeStatus: Upgraded to hirsute on 2021-04-24 (134 days ago) ** Affects: grub2-signed (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug grub hirsute secure-boot self-signed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1942751 Title: Self-signed kernel is not loaded correctly although being sign with mok-enrolled keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1942751/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs