upgrade crashing due to unsigned kernels
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
grub2 (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Bionic |
Fix Released
|
High
|
Unassigned | ||
Cosmic |
Fix Released
|
High
|
Unassigned | ||
grub2-signed (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned | ||
Cosmic |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
All upgrades on UEFI from xenial to bionic.
[Test case]
1) Install Ubuntu 16.04, on an UEFI system with Secure Boot enabled.
2) Upgrade to 18.04; validate that the upgrade is successful and does not fail due to "unsigned kernels" as an error message / debconf prompt.
[Regression Potential]
Things to watch out for are continuing with an upgrade from 16.04 to 18.04 where only unsigned kernels are available, despite the running kernel at upgrade-time being included with a .efi.signed file -- if neither the .efi.signed file is signed nor the vmlinuz for that particular kernel version, the upgrade should fail to avoid letting users upgrade into a non-working system.
---
$ ls /boot/vmlinuz-*
/boot/vmlinuz-
/boot/vmlinuz-
/boot/vmlinuz-
/boot/vmlinuz-
/boot/vmlinuz-
/boot/vmlinuz-
/boot/vmlinuz-
/boot/vmlinuz-
$
On dist-upgrade from xenial to bionic, grub bails with the error:
│ Cannot upgrade Secure Boot enforcement policy due to unsigned kernels │
│ │
│ Your system has UEFI Secure Boot enabled in firmware, and the following │
│ kernels present on your system are unsigned: │
│ │
│ 4.4.0-135-generic │
│ 4.4.0-134-generic │
│ 4.4.0-133-generic │
│ │
│ │
│ These kernels cannot be verified under Secure Boot. To ensure your │
│ system remains bootable, GRUB will not be upgraded on your disk until │
│ these kernels are removed or replaced with signed kernels. │
This is a false positive, only the -generic files are unsigned, not the .efi.signed ones; and only the .efi.signed ones are referenced in the grub.cfg. So the fact that there are unsigned vmlinuz files in the directory alongside the signed ones should not block grub from upgrading.
---
ProblemType: Package
DistroRelease: Ubuntu 18.04
Package: grub-efi-amd64 2.02-2ubuntu8.3
Uname: Linux 4.7.0-040700-
NonfreeKernelMo
ApportVersion: 2.20.9-0ubuntu7.2
Architecture: amd64
Date: Thu Aug 23 19:33:07 2018
ErrorMessage: installed grub-efi-amd64 package post-installation script subprocess returned error exit status 1
InstallationDate: Installed on 2018-05-30 (85 days ago)
InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)
ProcCmdLine: BOOT_IMAGE=
Python3Details: /usr/bin/python3.6, Python 3.6.5, python3-minimal, 3.6.5-3ubuntu1
PythonDetails: /usr/bin/python2.7, Python 2.7.15rc1, python-minimal, 2.7.15~rc1-1
RelatedPackageV
dpkg 1.19.0.5ubuntu2
apt 1.6.3ubuntu0.1
SourcePackage: grub2
Title: package grub-efi-amd64 2.02-2ubuntu8.3 failed to install/upgrade: installed grub-efi-amd64 package post-installation script subprocess returned error exit status 1
UpgradeStatus: Upgraded to bionic on 2018-08-23 (0 days ago)
tags: | removed: need-duplicate-check |
summary: |
- package grub-efi-amd64 2.02-2ubuntu8.3 failed to install/upgrade: - installed grub-efi-amd64 package post-installation script subprocess - returned error exit status 1 + upgrade crashing due to unsigned kernels |
Changed in grub2 (Ubuntu): | |
assignee: | nobody → jai (dspace123) |
Changed in grub2 (Ubuntu Cosmic): | |
status: | Triaged → In Progress |
Changed in grub2 (Ubuntu Cosmic): | |
assignee: | nobody → ali reza (alirezasabb) |
Changed in grub2 (Ubuntu Bionic): | |
status: | Triaged → New |
Changed in grub2 (Ubuntu Bionic): | |
status: | New → Triaged |
Changed in grub2 (Ubuntu Cosmic): | |
assignee: | ali reza (alirezasabb) → nobody |
Changed in grub2 (Ubuntu Bionic): | |
assignee: | nobody → Sarath P Nath (sarathpnath) |
Changed in grub2 (Ubuntu Cosmic): | |
assignee: | nobody → Sarath P Nath (sarathpnath) |
Changed in grub2 (Ubuntu Bionic): | |
status: | Triaged → Fix Released |
Changed in grub2 (Ubuntu Bionic): | |
assignee: | Sarath P Nath (sarathpnath) → nobody |
Changed in grub2 (Ubuntu Cosmic): | |
assignee: | Sarath P Nath (sarathpnath) → nobody |
Changed in grub2 (Ubuntu Bionic): | |
status: | Fix Released → Triaged |
tags: | added: id-5bdb73bc573ea205340525bc |
Changed in grub2-signed (Ubuntu Cosmic): | |
status: | New → Fix Released |
Changed in grub2-signed (Ubuntu): | |
status: | New → Fix Released |
Changed in grub2 (Ubuntu Bionic): | |
status: | Triaged → In Progress |
Changed in grub2-signed (Ubuntu Bionic): | |
status: | New → In Progress |
Changed in grub2 (Ubuntu): | |
assignee: | nobody → Steve figueroa (homecompsg) |
Changed in grub2 (Ubuntu Bionic): | |
assignee: | nobody → Steve figueroa (homecompsg) |
Changed in grub2 (Ubuntu Cosmic): | |
assignee: | nobody → Steve figueroa (homecompsg) |
Changed in grub2-signed (Ubuntu): | |
assignee: | nobody → Steve figueroa (homecompsg) |
Changed in grub2-signed (Ubuntu Bionic): | |
assignee: | nobody → Steve figueroa (homecompsg) |
Changed in grub2-signed (Ubuntu Cosmic): | |
assignee: | nobody → Steve figueroa (homecompsg) |
Changed in grub2 (Ubuntu): | |
assignee: | Steve figueroa (homecompsg) → nobody |
Changed in grub2 (Ubuntu Bionic): | |
assignee: | Steve figueroa (homecompsg) → nobody |
Changed in grub2 (Ubuntu Cosmic): | |
assignee: | Steve figueroa (homecompsg) → nobody |
Changed in grub2-signed (Ubuntu): | |
assignee: | Steve figueroa (homecompsg) → nobody |
Changed in grub2-signed (Ubuntu Bionic): | |
assignee: | Steve figueroa (homecompsg) → nobody |
Changed in grub2-signed (Ubuntu Cosmic): | |
assignee: | Steve figueroa (homecompsg) → nobody |
Status changed to 'Confirmed' because the bug affects multiple users.