[Bug 1652147] Re: UEFI secure boot fails after 14.04 to 16.04 upgrade

Stefan Bader stefan.bader at canonical.com
Mon Jan 9 09:52:54 UTC 2017 

Timestamps are of no use since I did other modifications.

Ok, I think I now know what happened. I had proposed enabled in Trusty
(in my case to have those act as canaries for updates). So I got those
new versions of shim/shim-signed back then. And together with grub2 (or
maybe kernel) this was somehow working in Trusty. Then those updates got
removed from the archive but not replaced by newer versions. So the
release-upgrade actually did *not* update those two packages. And now in
the Xenial environment they actually break boot completely.

The problem I can see is that many people have proposed enabled at some
point when they are asked to verify bugs. And IIRC the instructions do
not tell them to turn off proposed after that. So this might happen to
more people we think it could.

The work-around for me: disable secure boot in bios, boot, downgrade
shim/shim-signed, reboot, enable secure boot in bios again.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubuntu-release-upgrader in
Ubuntu.
https://bugs.launchpad.net/bugs/1652147

Title:
  UEFI secure boot fails after 14.04 to 16.04 upgrade

Status in ubuntu-release-upgrader package in Ubuntu:
  New

Bug description:
  I did a release upgrade from fully upgraded Trusty/14.04.x to Xenial/16.04 today (amd64). There was no indication of any problems during the upgrade. Only oddly asking to disable secure boot on the shim level again (already had done this on Trusty). Also I had the proposed pocket enabled in Trusty before doing the upgrade (update-manager).
  After reboot I get a textual error message that "image verification has failed" and I am presented with a menu to select a different UEFI element (this is a Lenovo x230).
  I can disable secure boot in the BIOS and am then able to boot.
  Not sure this is related to the issue but from the system booted without secure boot I tried to run sbverify and it returns the same error for all EFI binaries I tried:

  # sbverify shimx64.efi 
  warning: data remaining[1170360 vs 1289424]: gaps between PE/COFF sections?
  PKCS7 verification failed
  140313718134424:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:pk7_smime.c:336:Verify error:unable to get local issuer certificate
  Signature verification failed

  If there is any other info that is needed, let me know. Or/and if
  there are any steps to resolve the issue, let me know, too.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-release-upgrader/+bug/1652147/+subscriptions

More information about the foundations-bugs mailing list