Ubuntu
grub2-signed package

grub-efi-amd64-signed should depends on mokutil

Bug #1825128 reported by Yuan-Chen Cheng
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OEM Priority Project
Confirmed
High
Yuan-Chen Cheng
grub2-signed (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

as turn on secure boot, the postinst script to do configure will call mokutils. if mokutils is not installed, it will fail.

Base on that, maybe grub-efi-amd64-signed should depend on mokutils.

The postinst script call /usr/share/grub/grub-check-signatures from grub-common package. grub-check-signatures call mokutils to extract key and use the key to check if then kernel is properly signed.

See original description
Yuan-Chen Cheng (ycheng-twn)
Changed in oem-priority:
importance: Undecided → Critical
tags: added: hwe oem-priority
Revision history for this message
Yuan-Chen Cheng (ycheng-twn) wrote :

per $4:

grub-efi-amd64-signed's postinst will execute /usr/share/grub/grub-check-signatures when Secure Boot is on, and then it will execute mokutil no matter there is any DKMS or not.

Revision history for this message
Ivan Hu (ivan.hu) wrote :

What does grub-check-signatures use mokutil for?
It makes more sense mokutil depends on shim not grub.
Can mokutil depend on shim package solve your issue?

Revision history for this message
Shih-Yuan Lee (fourdollars) wrote :

This issue happens when installing grub-efi-amd64-signed while the image still using old mokutil so it is better to fix the issue directly in grub-efi-amd64-signed.

Yuan-Chen Cheng (ycheng-twn)
Changed in oem-priority:
importance: Critical → High
Yuan-Chen Cheng (ycheng-twn)
Changed in oem-priority:
status: New → Won't Fix
Changed in grub2-signed (Ubuntu):
status: New → Incomplete
Revision history for this message
Yuan-Chen Cheng (ycheng-twn) wrote :

@Ivan, I update how grub-check-signatures use mokutils in bug description.
Can you please check again?

description: updated
Changed in oem-priority:
status: Won't Fix → Confirmed
assignee: nobody → Yuan-Chen Cheng (ycheng-twn)
Yuan-Chen Cheng (ycheng-twn)
Changed in grub2-signed (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Ivan Hu (ivan.hu) wrote :

shim-signed package has already depended on mokutil.
When secureboot enabled, shim is needed and mokutil should be installed.

Revision history for this message
Yuan-Chen Cheng (ycheng-twn) wrote :

per code in ubiquity:/usr/share/grub-installer/grub-installer
it install grub-efi-amd64-signed first, and then install shim-signed.
(grub_package=grub-efi-amd64-signed as the code run to here.)
===
        apt-install $grub_package || exit_code=$?
        case $grub_package in
            *-signed)
                apt-install shim-signed || true
                apt-install grub-pc || true
                ;;
        esac
===

Yuan-Chen Cheng (ycheng-twn)
tags: added: foundation
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.