Verification-done on trusty:
ubuntu@dashing-moccasin:~$ apt-cache policy grub-efi-amd64-signed grub-efi-amd64-signed: Installed: 1.34.20+2.02~beta2-9ubuntu1.17 Candidate: 1.34.20+2.02~beta2-9ubuntu1.17 Package pin: 1.34.20+2.02~beta2-9ubuntu1.17 Version table: *** 1.34.20+2.02~beta2-9ubuntu1.17 500 -1 http://archive.ubuntu.com/ubuntu/ trusty-proposed/main amd64 Packages 100 /var/lib/dpkg/status 1.34.18+2.02~beta2-9ubuntu1.16 500 500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages 1.34.7+2.02~beta2-9ubuntu1.6 500 500 http://archive.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages 1.34+2.02~beta2-9 500 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages ubuntu@dashing-moccasin:~$ apt-cache policy grub-efi-amd64 grub-efi-amd64: Installed: 2.02~beta2-9ubuntu1.17 Candidate: 2.02~beta2-9ubuntu1.17 Package pin: 2.02~beta2-9ubuntu1.17 Version table: *** 2.02~beta2-9ubuntu1.17 500 -1 http://archive.ubuntu.com/ubuntu/ trusty-proposed/main amd64 Packages 100 /var/lib/dpkg/status 2.02~beta2-9ubuntu1.16 500 500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages 2.02~beta2-9ubuntu1.6 500 500 http://archive.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages 2.02~beta2-9 500 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
Verified that now the kernel signature is correctly enforced by grub, and if no kernel is signed / signed by a trusted key, the upgrade will correctly be failed to avoid leaving the system unbootable.
Verification-done on trusty:
ubuntu@ dashing- moccasin: ~$ apt-cache policy grub-efi- amd64-signed amd64-signed: 2.02~beta2- 9ubuntu1. 17 2.02~beta2- 9ubuntu1. 17 2.02~beta2- 9ubuntu1. 17 2.02~beta2- 9ubuntu1. 17 500 archive. ubuntu. com/ubuntu/ trusty- proposed/ main amd64 Packages dpkg/status 34.18+2. 02~beta2- 9ubuntu1. 16 500 archive. ubuntu. com/ubuntu/ trusty-updates/main amd64 Packages 34.7+2. 02~beta2- 9ubuntu1. 6 500 archive. ubuntu. com/ubuntu/ trusty- security/ main amd64 Packages 34+2.02~ beta2-9 500 archive. ubuntu. com/ubuntu/ trusty/main amd64 Packages dashing- moccasin: ~$ apt-cache policy grub-efi-amd64 9ubuntu1. 17 9ubuntu1. 17 9ubuntu1. 17 9ubuntu1. 17 500 archive. ubuntu. com/ubuntu/ trusty- proposed/ main amd64 Packages dpkg/status 02~beta2- 9ubuntu1. 16 500 archive. ubuntu. com/ubuntu/ trusty-updates/main amd64 Packages 02~beta2- 9ubuntu1. 6 500 archive. ubuntu. com/ubuntu/ trusty- security/ main amd64 Packages archive. ubuntu. com/ubuntu/ trusty/main amd64 Packages
grub-efi-
Installed: 1.34.20+
Candidate: 1.34.20+
Package pin: 1.34.20+
Version table:
*** 1.34.20+
-1 http://
100 /var/lib/
1.
500 http://
1.
500 http://
1.
500 http://
ubuntu@
grub-efi-amd64:
Installed: 2.02~beta2-
Candidate: 2.02~beta2-
Package pin: 2.02~beta2-
Version table:
*** 2.02~beta2-
-1 http://
100 /var/lib/
2.
500 http://
2.
500 http://
2.02~beta2-9 500
500 http://
Verified that now the kernel signature is correctly enforced by grub, and if no kernel is signed / signed by a trusted key, the upgrade will correctly be failed to avoid leaving the system unbootable.