[Bug 1789918] Re: grub2 signed kernel enforcement doesn't check on upgrade that signatures are from trusted keys

Mathieu Trudel-Lapierre mathieu.tl at gmail.com
Wed Jan 30 15:02:50 UTC 2019 

Verification-done on cosmic with grub2 / grub2-signed.

Forcing an unsigned copy of the kernel, or one signed by an unknown key
leads to the system failing to upgrade, as expected:

ubuntu at ubuntu:~$ dpkg -l grub-efi\* | grep ii | awk '{ print $2" "$3 }'
grub-efi-amd64 2.02+dfsg1-5ubuntu8.1
grub-efi-amd64-bin 2.02+dfsg1-5ubuntu8.1
grub-efi-amd64-signed 1.110.1+2.02+dfsg1-5ubuntu8.1
ubuntu at ubuntu:~$ sudo apt install --reinstall grub-efi-amd64-signed
Reading package lists... Done
Building dependency tree       
Reading state information... Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
Need to get 295 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://us.archive.ubuntu.com/ubuntu cosmic-proposed/main amd64 grub-efi-amd64-signed amd64 1.110.1+2.02+dfsg1-5ubuntu8.1 [295 kB]
Fetched 295 kB in 0s (742 kB/s)               
(Reading database ... 106062 files and directories currently installed.)
Preparing to unpack .../grub-efi-amd64-signed_1.110.1+2.02+dfsg1-5ubuntu8.1_amd64.deb ...
Unpacking grub-efi-amd64-signed (1.110.1+2.02+dfsg1-5ubuntu8.1) over (1.110.1+2.02+dfsg1-5ubuntu8.1) ...
Setting up grub-efi-amd64-signed (1.110.1+2.02+dfsg1-5ubuntu8.1) ...
/boot/vmlinuz-4.18.0-14-matt is unsigned.
E: Your kernels are not signed with a key known to your firmware. This system will fail to boot in a Secure Boot environment.
dpkg: error processing package grub-efi-amd64-signed (--configure):
 installed grub-efi-amd64-signed package post-installation script subprocess returned error exit status 1
Errors were encountered while processing:
 grub-efi-amd64-signed
E: Sub-process /usr/bin/dpkg returned an error code (1)
ubuntu at ubuntu:~$ 
ubuntu at ubuntu:~$ sudo sbsign --key ~/uefi-keys/uefi.
uefi.crt  uefi.key  
ubuntu at ubuntu:~$ sudo sbsign --key ~/uefi-keys/uefi.key  --cert ~/uefi-keys/uefi.crt /boot/vmlinuz-4.18.0-14-matt 
ubuntu at ubuntu:~$ sudo apt install grub-efi-amd64-signed
Reading package lists... Done
Building dependency tree       
Reading state information... Done
grub-efi-amd64-signed is already the newest version (1.110.1+2.02+dfsg1-5ubuntu8.1).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] 
Setting up grub-efi-amd64-signed (1.110.1+2.02+dfsg1-5ubuntu8.1) ...
/boot/vmlinuz-4.18.0-14-matt.signed is signed, but using an unknown key:
        Subject: CN = PPA cyphermox efi
/boot/vmlinuz-4.18.0-14-matt is unsigned.
E: Your kernels are not signed with a key known to your firmware. This system will fail to boot in a Secure Boot environment.
dpkg: error processing package grub-efi-amd64-signed (--configure):
 installed grub-efi-amd64-signed package post-installation script subprocess returned error exit status 1
Errors were encountered while processing:
 grub-efi-amd64-signed
E: Sub-process /usr/bin/dpkg returned an error code (1)


** Tags removed: verification-needed verification-needed-cosmic
** Tags added: verification-done-cosmic

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
Matching subscriptions: mokutil-bugs
https://bugs.launchpad.net/bugs/1789918

Title:
  grub2 signed kernel enforcement doesn't check on upgrade that
  signatures are from trusted keys

Status in grub2 package in Ubuntu:
  Fix Released
Status in mokutil package in Ubuntu:
  Fix Released
Status in grub2 source package in Bionic:
  Fix Committed
Status in grub2 source package in Cosmic:
  Fix Committed

Bug description:
  [Impact]
  This affects UEFI users upgrading grub, especially when upgrading from an earlier release or when using custom kernels (signed by PPA keys, or unsigned).

  [Test case]
  1) Install a custom / PPA kernel, or copy an existing kernel into an unsigned version of it:

  sudo cp /boot/vmlinuz-4.11.0-11-generic
  /boot/vmlinuz-4.11.0-11-lp1789918

  2) Make sure the kernel is unsigned or signed with an unknown key (in
  this case, remove signature for convenience):

  sudo sbattach --remove /boot/vmlinuz-4.11.0-11-lp1789918

  3) Upgrade grub2.

  4) Validate that the upgrade fails, and complains about incorrectly
  signed kernels for the new "vmlinuz-4.11.0-11-lp1789918", or other
  incorrectly signed kernels present, newer than the currently running
  kernel.

  5) Run /usr/share/grub/grub-check-signatures. Validate the same error
  appears as through the upgrade process.

  
  [Regression potential]
  Relatively low risk of failure. This only affects the upgrade process maintainer scripts, which run an additional script to fail the upgrade if it is detected that a newer kernel than the one currently running would be invalid for Secure Boot. This already catches invalid signatures and unsigned kernels, and mitigates against broken firmwares by shipping the certificate for the most common kernel signatures (the Canonical cert). Upgrades should already have been migrating users to forcing the signed version of kernels to be installed when the official pacakges are being used.

  Watch for upgrade failures due to false positives (correcly signed
  kernels that are detected as signed by unknown keys) or other failure
  modes of the upgrade of the grub packages. Grub functionality at boot
  has been unchanged.

  
  [Background information]
  Secure Boot will soon enforce that kernels are properly signed to be able to boot them. Catch systems early where this upgrade would break boot for our users, to ensure they can correct the situation while the system is running.

  ---

  This is on a cosmic system. I wanted to test the 4.18 kernel in the kernel teams unstable ppa. I enabled that ppa, then ran "sudo apt-get update; sudo apt-get dist-upgrade" and then rebooted. Upon boot grub started reporting that none of the kernels I have installed have valid signatures. These were working just fine before this update. The only remedy was to disable secure boot in my bios.
  ---
  ProblemType: Bug
  ApportVersion: 2.20.10-0ubuntu9
  Architecture: amd64
  CurrentDesktop: ubuntu:GNOME
  DistroRelease: Ubuntu 18.10
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2017-08-14 (380 days ago)
  InstallationMedia: Ubuntu 17.10 "Artful Aardvark" - Alpha amd64 (20170812)
  Package: grub2 (not installed)
  ProcEnviron:
   TERM=tmux-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  ProcVersionSignature: Ubuntu 4.18.0-7.8-generic 4.18.5
  Tags:  wayland-session cosmic
  Uname: Linux 4.18.0-7-generic x86_64
  UpgradeStatus: No upgrade log present (probably fresh install)
  UserGroups: adm cdrom dip kvm libvirt lpadmin plugdev sambashare sudo
  _MarkForUpload: True

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1789918/+subscriptions

More information about the foundations-bugs mailing list