[Bug 2004437] Re: install on bionic/arm64 fails with "unsigned kernels" error

Wed Feb 1 07:33:33 UTC 2023

grub-check-signatures is part of src:grub2 and has been taught to handle
gzipped kernels at least in some versions.

Do note that all kernels >= the currently booted kernel need to be
signed.

** Package changed: grub2-signed (Ubuntu) => grub2 (Ubuntu)

** Changed in: grub2 (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/2004437

Title:
  install on bionic/arm64 fails with "unsigned kernels" error

Status in grub2 package in Ubuntu:
  Invalid
Status in grub2 source package in Bionic:
  New

Bug description:
  I booted a cloud image w/ SecureBoot disabled, upgraded it to the HWE
  kernel (required for SecureBoot - LTS kernel isn't signed), then
  rebooted and turned on SecureBoot. I then enabled proposed and tried
  to install the updated shim-signed. This brought in the new grub-efi-
  arm64-signed as a dependency, which is expected, but it failed to
  upgrade, which was unexpected:

  Unpacking grub-efi-arm64-signed (1.187.3~18.04.1+2.06-2ubuntu14.1) over (1.173.2
  ~18.04.1+2.04-1ubuntu47.4) ...
  Preparing to unpack .../grub-efi-arm64_2.06-2ubuntu14.1_arm64.deb ...
  Package configuration

   ┌───────────────────────────┤ unsigned kernels ├────────────────────────────┐
   │                                                                           │
   │ Cannot upgrade Secure Boot enforcement policy due to unsigned kernels     │
   │                                                                           │
   │ Your system has UEFI Secure Boot enabled in firmware, and the following   │
   │ kernels present on your system are unsigned:                              │
   │                                                                           │
   │  5.4.0-137-generic                                                        │
   │                                                                           │
   │                                                                           │
   │ These kernels cannot be verified under Secure Boot.  To ensure your       │
   │ system remains bootable, GRUB will not be upgraded on your disk until     │
   │ these kernels are removed or replaced with signed kernels.                │
   │                                                                           │
   │                                  <Ok>                                     │
   │                                                                           │
   └───────────────────────────────────────────────────────────────────────────┘

  E: Your kernels are not signed with a key known to your firmware. This system wi
  ll fail to boot in a Secure Boot environment.
  dpkg: error processing package grub-efi-arm64-signed (--configure):
   installed grub-efi-arm64-signed package post-installation script

  That kernel *is* signed - I'm currently booted on it in SecureBoot mode.
  ubuntu at ubuntu:~$ uname -a
  Linux ubuntu 5.4.0-137-generic #154~18.04.1-Ubuntu SMP Tue Jan 10 16:58:27 UTC 2023 aarch64 aarch64 aarch64 GNU/Linux
  ubuntu at ubuntu:~$ sudo mokutil --sb-state
  SecureBoot enabled

  Strangely, I did not see this when upgrading on focal, jammy, kinetic
  or lunar.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/2004437/+subscriptions