[Bug 1788727] Re: upgrade crashing due to unsigned kernels

Mathieu Trudel-Lapierre mathieu.tl at gmail.com
Wed Oct 3 14:47:59 UTC 2018 

This isn't a security issue.

You may have unsigned kernels on your system, but we're planning to have
grub enforce signed kernels if Secure Boot is enabled -- therefore we
need to catch the case where no kernel is appropriately signed by a key
that is known to the firmware or to shim.

There's clearly some issues with the detection (and some limitations)
that we're working on addressing right now.

Systems that only have official kernels properly installed should work
normally.

Any installs that require custom kernels, or kernels coming from a PPA
would likely not be signed (well, they are, but people are unlikely to
have the keys installed in firmware), so we need to block upgrade --
it's a better alternative than having your systems fail to boot after
the upgrade because we started to install a grub that insists on signed
kernels, or because your running kernel is unsigned / not signed by a
key that is recognized.

I'm keeping this task open as there's more work needed here to make this
a better experience -- we don't /have to/ fail upgrade in all the cases,
but it's currently the only thing we can do (and I'm working on
improving that).

** Changed in: grub2 (Ubuntu)
     Assignee: jai (dspace123) => (unassigned)

** Changed in: grub2 (Ubuntu)
       Status: Confirmed => Triaged

** Changed in: grub2 (Ubuntu)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1788727

Title:
  upgrade crashing due to unsigned kernels

Status in grub2 package in Ubuntu:
  Triaged

Bug description:
  not surre  happened during upgrade to bionic beaver

  ProblemType: Package
  DistroRelease: Ubuntu 18.04
  Package: grub-efi-amd64 2.02-2ubuntu8.3
  Uname: Linux 4.7.0-040700-generic x86_64
  NonfreeKernelModules: nvidia
  ApportVersion: 2.20.9-0ubuntu7.2
  Architecture: amd64
  Date: Thu Aug 23 19:33:07 2018
  ErrorMessage: installed grub-efi-amd64 package post-installation script subprocess returned error exit status 1
  InstallationDate: Installed on 2018-05-30 (85 days ago)
  InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)
  ProcCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.7.0-040700-generic root=UUID=d9d727a6-5798-4fe1-8ac0-fb79b1d05431 ro quiet splash vt.handoff=7
  Python3Details: /usr/bin/python3.6, Python 3.6.5, python3-minimal, 3.6.5-3ubuntu1
  PythonDetails: /usr/bin/python2.7, Python 2.7.15rc1, python-minimal, 2.7.15~rc1-1
  RelatedPackageVersions:
   dpkg 1.19.0.5ubuntu2
   apt  1.6.3ubuntu0.1
  SourcePackage: grub2
  Title: package grub-efi-amd64 2.02-2ubuntu8.3 failed to install/upgrade: installed grub-efi-amd64 package post-installation script subprocess returned error exit status 1
  UpgradeStatus: Upgraded to bionic on 2018-08-23 (0 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1788727/+subscriptions

More information about the foundations-bugs mailing list