[Bug 1652147] Re: UEFI secure boot fails after 14.04 to 16.04 upgrade

Stefan Bader stefan.bader at canonical.com
Thu Jan 5 09:03:04 UTC 2017 

In sources.list on the laptop proposed is disabled now. I think I did
not manually change this. So it seems that it got disabled during
upgrade. Which would make sense with my second upgrade where I disabled
proposed manually before the release upgrade. The weird thing is anyway
where those versions come from. Using rmadison they do not show and I
thought they should.

/etc/apt/sources.list:
...
# deb http://de.archive.ubuntu.com/ubuntu/ xenial-proposed universe main restricted multiverse #Not for humans during development stage of release xenial

#> rmadison shim-signed | grep xenial
shim-signed | 1.12                                          | xenial          | source
shim-signed | 1.12+0.8-0ubuntu2                             | xenial          | amd64
shim-signed | 1.19~16.04.1                                  | xenial-updates  | source
shim-signed | 1.19~16.04.1+0.8-0ubuntu2                     | xenial-updates  | amd64


** Attachment added: "/var/log/dist-upgrade/main.log from laptop upgrade"
   https://bugs.launchpad.net/ubuntu/+source/ubuntu-release-upgrader/+bug/1652147/+attachment/4800274/+files/main.log

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubuntu-release-upgrader in
Ubuntu.
https://bugs.launchpad.net/bugs/1652147

Title:
  UEFI secure boot fails after 14.04 to 16.04 upgrade

Status in ubuntu-release-upgrader package in Ubuntu:
  New

Bug description:
  I did a release upgrade from fully upgraded Trusty/14.04.x to Xenial/16.04 today (amd64). There was no indication of any problems during the upgrade. Only oddly asking to disable secure boot on the shim level again (already had done this on Trusty). Also I had the proposed pocket enabled in Trusty before doing the upgrade (update-manager).
  After reboot I get a textual error message that "image verification has failed" and I am presented with a menu to select a different UEFI element (this is a Lenovo x230).
  I can disable secure boot in the BIOS and am then able to boot.
  Not sure this is related to the issue but from the system booted without secure boot I tried to run sbverify and it returns the same error for all EFI binaries I tried:

  # sbverify shimx64.efi 
  warning: data remaining[1170360 vs 1289424]: gaps between PE/COFF sections?
  PKCS7 verification failed
  140313718134424:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:pk7_smime.c:336:Verify error:unable to get local issuer certificate
  Signature verification failed

  If there is any other info that is needed, let me know. Or/and if
  there are any steps to resolve the issue, let me know, too.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-release-upgrader/+bug/1652147/+subscriptions

More information about the foundations-bugs mailing list