[Bug 1820296] [NEW] grub is not validating kernel if i embed a GPG public key in grub and sign kernel with GPG private key

Rajendra Shardul 1820296 at bugs.launchpad.net
Fri Mar 15 15:03:18 UTC 2019 

Public bug reported:

Hello,

I am  embedding custom GPG public key in grub and sign (detached) the
4.15.0-46-generic kernel with GPG private key. The grub is not
validating the kernel. I am getting an error "/vmlinuz-4.15.0-46-generic
has invalid signature".

However this process used to work fine on 4.15.0-45-generic kernel. UEFI
used to verify shim (custom SSL signed) and shim (embedded with SSL
cert) used to verify grub (signed with custom SSL key). Grub would
validate kernel using embeddded custom GPG public key. Kernel would be
signed with custom GPG private key.

Is there any commits that went in grub which broke this feature? Is grub
no more validating kernel with embedded key in it? Does it always uses
UEFI keys to validate kernel? or does it give control to shim to verify
the kernel?

Any inputs on this?

** Affects: grub2 (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1820296

Title:
  grub is not validating kernel if i embed a GPG public key in grub and
  sign kernel with GPG private key

Status in grub2 package in Ubuntu:
  New

Bug description:
  Hello,

  I am  embedding custom GPG public key in grub and sign (detached) the
  4.15.0-46-generic kernel with GPG private key. The grub is not
  validating the kernel. I am getting an error
  "/vmlinuz-4.15.0-46-generic has invalid signature".

  However this process used to work fine on 4.15.0-45-generic kernel.
  UEFI used to verify shim (custom SSL signed) and shim (embedded with
  SSL cert) used to verify grub (signed with custom SSL key). Grub would
  validate kernel using embeddded custom GPG public key. Kernel would be
  signed with custom GPG private key.

  Is there any commits that went in grub which broke this feature? Is
  grub no more validating kernel with embedded key in it? Does it always
  uses UEFI keys to validate kernel? or does it give control to shim to
  verify the kernel?

  Any inputs on this?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1820296/+subscriptions

More information about the foundations-bugs mailing list