grub2 verify signed kernel exists or abort upgrade

Bug #1786491 reported by Julian Andres Klode
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
grub2 (Ubuntu)
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Cosmic
Fix Released
Undecided
Unassigned
grub2-signed (Ubuntu)
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Cosmic
Fix Released
Undecided
Unassigned

Bug Description

[Impact]
grub2 should fail to install if no signed kernels exist

[Test case]
On a secure boot system:
* Install grub-efi-amd64{,signed} and signed kernel => installs
* Install grub-efi-amd64{,signed} and only unsigned kernel => prevents
On a non-secure-boot system:
* Install grub-efi-amd64{,signed} and only unsigned kernel => installs

[Regression potential]
Upgrades can break.

Changed in grub2-signed (Ubuntu Cosmic):
status: New → Fix Released
Changed in grub2 (Ubuntu Cosmic):
status: New → Fix Released
Changed in grub2-signed (Ubuntu Bionic):
status: New → Triaged
Changed in grub2 (Ubuntu Bionic):
status: New → Triaged
Revision history for this message
Julian Andres Klode (juliank) wrote :

grub2-signed in cosmic still runs the checking script too late (after grub-install instead of before), that needs to be fixed first.

Changed in grub2-signed (Ubuntu Cosmic):
status: Fix Released → Triaged
Steve Langasek (vorlon)
Changed in grub2-signed (Ubuntu Cosmic):
status: Triaged → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2-signed - 1.102

---------------
grub2-signed (1.102) cosmic; urgency=medium

  * Call grub-check-signatures before calling grub-install, not after, to
    avoid overwriting the boot loader on disk with one that will fail to
    load. LP: #1786491.

 -- Steve Langasek <email address hidden> Fri, 10 Aug 2018 12:28:40 -0700

Changed in grub2-signed (Ubuntu Cosmic):
status: Fix Committed → Fix Released
tags: added: id-5acce45de43bb8c279b5bec8
Changed in grub2-signed (Ubuntu Bionic):
status: Triaged → In Progress
Changed in grub2 (Ubuntu Bionic):
status: Triaged → In Progress
description: updated
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Julian, or anyone else affected,

Accepted grub2 into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2/2.02-2ubuntu8.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in grub2 (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-bionic
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Julian, or anyone else affected,

Accepted grub2-signed into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-signed/1.93.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in grub2-signed (Ubuntu Bionic):
status: In Progress → Fix Committed
Revision history for this message
Julian Andres Klode (juliank) wrote :

Installed -ubuntu8.3 / signed 1.93.4 from proposed and ran some tests. I fixed the script to use a different dir instead of /sys/firmware/efi/efivars and created deleted the flags for secure boot in there, as I could not get my container to read from the original dir, even after bind mounting mock files/dirs.

On a secure boot system (mock: copied SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c from host):
* Install grub-efi-amd64{,signed} and signed kernel => installs

PASS (mock: copied signed host kernel to container)

* Install grub-efi-amd64{,signed} and only unsigned kernel => prevents

PASS (mock: created empty vmlinuz-$(uname -r) in /boot/)

On a non-secure-boot system (mock: deleted SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c):

* Install grub-efi-amd64{,signed} and only unsigned kernel => installs

PASS (mock: created empty vmlinuz-$(uname -r) in /boot/)

tags: added: verification-done verification-done-bionic
removed: verification-needed verification-needed-bionic
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2 - 2.02-2ubuntu8.3

---------------
grub2 (2.02-2ubuntu8.3) bionic; urgency=medium

  * Verify that the current and newer kernels are signed when grub is updated, to
    make sure people do not accidentally shutdown without a signed kernel.
    (LP: #1786491)

 -- Julian Andres Klode <email address hidden> Fri, 13 Jul 2018 15:21:48 +0200

Changed in grub2 (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for grub2 has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2-signed - 1.93.4

---------------
grub2-signed (1.93.4) bionic; urgency=medium

  * Rebuild against grub2 2.02-2ubuntu8.3 and check kernel is signed on
    amd64 EFI before installing grub (LP: #1786491).

 -- Julian Andres Klode <email address hidden> Mon, 13 Aug 2018 12:51:32 +0200

Changed in grub2-signed (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.