[Bug 1788727] Please test proposed package

Brian Murray brian at ubuntu.com
Mon Nov 12 17:44:12 UTC 2018 

Hello Al, or anyone else affected,

Accepted grub2-signed into bionic-proposed. The package will build now
and be available at
https://launchpad.net/ubuntu/+source/grub2-signed/1.93.10 in a few
hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested and change the tag from
verification-needed-bionic to verification-done-bionic. If it does not
fix the bug for you, please add a comment stating that, and change the
tag to verification-failed-bionic. In either case, without details of
your testing we will not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1788727

Title:
  upgrade crashing due to unsigned kernels

Status in grub2 package in Ubuntu:
  Fix Released
Status in grub2-signed package in Ubuntu:
  Fix Released
Status in grub2 source package in Bionic:
  Fix Committed
Status in grub2-signed source package in Bionic:
  Fix Committed
Status in grub2 source package in Cosmic:
  Fix Released
Status in grub2-signed source package in Cosmic:
  Fix Released

Bug description:
  [Impact]
  All upgrades on UEFI from xenial to bionic.

  [Test case]
  1) Install Ubuntu 16.04, on an UEFI system with Secure Boot enabled.
  2) Upgrade to 18.04; validate that the upgrade is successful and does not fail due to "unsigned kernels" as an error message / debconf prompt.

  [Regression Potential]
  Things to watch out for are continuing with an upgrade from 16.04 to 18.04 where only unsigned kernels are available, despite the running kernel at upgrade-time being included with a .efi.signed file -- if neither the .efi.signed file is signed nor the vmlinuz for that particular kernel version, the upgrade should fail to avoid letting users upgrade into a non-working system.

  ---

  $ ls /boot/vmlinuz-*
  /boot/vmlinuz-4.4.0-130-generic
  /boot/vmlinuz-4.4.0-130-generic.efi.signed
  /boot/vmlinuz-4.4.0-133-generic
  /boot/vmlinuz-4.4.0-133-generic.efi.signed
  /boot/vmlinuz-4.4.0-134-generic
  /boot/vmlinuz-4.4.0-134-generic.efi.signed
  /boot/vmlinuz-4.4.0-135-generic
  /boot/vmlinuz-4.4.0-135-generic.efi.signed
  $

  On dist-upgrade from xenial to bionic, grub bails with the error:

   │ Cannot upgrade Secure Boot enforcement policy due to unsigned kernels     │
   │                                                                           │
   │ Your system has UEFI Secure Boot enabled in firmware, and the following   │
   │ kernels present on your system are unsigned:                              │
   │                                                                           │
   │  4.4.0-135-generic                                                        │
   │  4.4.0-134-generic                                                        │
   │  4.4.0-133-generic                                                        │
   │                                                                           │
   │                                                                           │
   │ These kernels cannot be verified under Secure Boot.  To ensure your       │
   │ system remains bootable, GRUB will not be upgraded on your disk until     │
   │ these kernels are removed or replaced with signed kernels.                │

  This is a false positive, only the -generic files are unsigned, not
  the .efi.signed ones; and only the .efi.signed ones are referenced in
  the grub.cfg.  So the fact that there are unsigned vmlinuz files in
  the directory alongside the signed ones should not block grub from
  upgrading.

  ---

  ProblemType: Package
  DistroRelease: Ubuntu 18.04
  Package: grub-efi-amd64 2.02-2ubuntu8.3
  Uname: Linux 4.7.0-040700-generic x86_64
  NonfreeKernelModules: nvidia
  ApportVersion: 2.20.9-0ubuntu7.2
  Architecture: amd64
  Date: Thu Aug 23 19:33:07 2018
  ErrorMessage: installed grub-efi-amd64 package post-installation script subprocess returned error exit status 1
  InstallationDate: Installed on 2018-05-30 (85 days ago)
  InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)
  ProcCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.7.0-040700-generic root=UUID=d9d727a6-5798-4fe1-8ac0-fb79b1d05431 ro quiet splash vt.handoff=7
  Python3Details: /usr/bin/python3.6, Python 3.6.5, python3-minimal, 3.6.5-3ubuntu1
  PythonDetails: /usr/bin/python2.7, Python 2.7.15rc1, python-minimal, 2.7.15~rc1-1
  RelatedPackageVersions:
   dpkg 1.19.0.5ubuntu2
   apt  1.6.3ubuntu0.1
  SourcePackage: grub2
  Title: package grub-efi-amd64 2.02-2ubuntu8.3 failed to install/upgrade: installed grub-efi-amd64 package post-installation script subprocess returned error exit status 1
  UpgradeStatus: Upgraded to bionic on 2018-08-23 (0 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1788727/+subscriptions

More information about the foundations-bugs mailing list