[Bug 1942751] Re: Self-signed kernel is not loaded correctly although being sign with mok-enrolled keys

Launchpad Bug Tracker 1942751 at bugs.launchpad.net
Sun Dec 19 11:17:53 UTC 2021 

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: grub2-signed (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1942751

Title:
  Self-signed kernel is not loaded correctly although being sign with
  mok-enrolled keys

Status in grub2-signed package in Ubuntu:
  Confirmed

Bug description:
  I have a strange problem with secure boot and self-signed kernels. On
  20.10 I was able to boot (everything with Secure Boot) both canonical-
  signed and self-signed kernels. After upgrade to 21.04 loading self-
  signed kernels doesn't work anymore: I get "vmlinuz has invalid
  signature" error. The error seems clear enough, but:

  - Secure Boot is on and grub loads just fine and loads canonical-signed kernels 100% fine (so it's something about my singing key, right?)
  - my custom key seems to be enrolled into mok db just fine

  ```
  root at T495:~# mokutil --test-key /root/mok/MOK.der 
  mok/MOK.der is already enrolled
  ```

  - image is signed with the same key as checked above with mokutil
  ```
  sudo sbsign --key /root/mok/MOK.priv --cert /root/mok/MOK.pem /boot/vmlinuz-5.13.3-051303-generic --output /boot/vmlinuz-5.13.3-051303-generic
  Image was already signed; adding additional signature
  ```

  Seems a bug in grub, but I don't know how to debug it.

  ProblemType: Bug
  DistroRelease: Ubuntu 21.04
  Package: grub-efi-amd64-signed 1.169+2.04-1ubuntu45
  ProcVersionSignature: Ubuntu 5.11.0-31.33-generic 5.11.22
  Uname: Linux 5.11.0-31-generic x86_64
  ApportVersion: 2.20.11-0ubuntu65.1
  Architecture: amd64
  CasperMD5CheckResult: unknown
  CurrentDesktop: ubuntu:GNOME
  Date: Mon Sep  6 10:30:02 2021
  InstallationDate: Installed on 2019-12-07 (638 days ago)
  InstallationMedia: Ubuntu 19.10 "Eoan Ermine" - Release amd64 (20191017)
  SourcePackage: grub2-signed
  UpgradeStatus: Upgraded to hirsute on 2021-04-24 (134 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1942751/+subscriptions

More information about the foundations-bugs mailing list