Ubuntu
grub2 package

grub2 signed kernel enforcement doesn't check on upgrade that signatures are from trusted keys

Bug #1789918 reported by Brad Figg
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
grub2 (Ubuntu)
Fix Released
High
Mathieu Trudel-Lapierre
Trusty
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Cosmic
Fix Released
Undecided
Unassigned
mokutil (Ubuntu)
Fix Released
High
Mathieu Trudel-Lapierre

Bug Description

[Impact]
This affects UEFI users upgrading grub, especially when upgrading from an earlier release or when using custom kernels (signed by PPA keys, or unsigned).

[Test case]
1) Install a custom / PPA kernel, or copy an existing kernel into an unsigned version of it:

sudo cp /boot/vmlinuz-4.11.0-11-generic /boot/vmlinuz-4.11.0-11-lp1789918

2) Make sure the kernel is unsigned or signed with an unknown key (in this case, remove signature for convenience):

sudo sbattach --remove /boot/vmlinuz-4.11.0-11-lp1789918

3) Upgrade grub2.

4) Validate that the upgrade fails, and complains about incorrectly signed kernels for the new "vmlinuz-4.11.0-11-lp1789918", or other incorrectly signed kernels present, newer than the currently running kernel.

5) Run /usr/share/grub/grub-check-signatures. Validate the same error appears as through the upgrade process.

[Regression potential]
Relatively low risk of failure. This only affects the upgrade process maintainer scripts, which run an additional script to fail the upgrade if it is detected that a newer kernel than the one currently running would be invalid for Secure Boot. This already catches invalid signatures and unsigned kernels, and mitigates against broken firmwares by shipping the certificate for the most common kernel signatures (the Canonical cert). Upgrades should already have been migrating users to forcing the signed version of kernels to be installed when the official pacakges are being used.

Watch for upgrade failures due to false positives (correcly signed kernels that are detected as signed by unknown keys) or other failure modes of the upgrade of the grub packages. Grub functionality at boot has been unchanged.

[Background information]
Secure Boot will soon enforce that kernels are properly signed to be able to boot them. Catch systems early where this upgrade would break boot for our users, to ensure they can correct the situation while the system is running.

---

This is on a cosmic system. I wanted to test the 4.18 kernel in the kernel teams unstable ppa. I enabled that ppa, then ran "sudo apt-get update; sudo apt-get dist-upgrade" and then rebooted. Upon boot grub started reporting that none of the kernels I have installed have valid signatures. These were working just fine before this update. The only remedy was to disable secure boot in my bios.
---
ProblemType: Bug
ApportVersion: 2.20.10-0ubuntu9
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
DistroRelease: Ubuntu 18.10
EcryptfsInUse: Yes
InstallationDate: Installed on 2017-08-14 (380 days ago)
InstallationMedia: Ubuntu 17.10 "Artful Aardvark" - Alpha amd64 (20170812)
Package: grub2 (not installed)
ProcEnviron:
 TERM=tmux-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 4.18.0-7.8-generic 4.18.5
Tags: wayland-session cosmic
Uname: Linux 4.18.0-7-generic x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm cdrom dip kvm libvirt lpadmin plugdev sambashare sudo
_MarkForUpload: True

See original description
Revision history for this message
Brad Figg (brad-figg) wrote : ProcCpuinfoMinimal.txt

apport information

tags: added: apport-collected cosmic wayland-session
description: updated
Revision history for this message
Steve Langasek (vorlon) wrote : Re: /boot/vmlinux-4.17 has invalid signature

What does 'dpkg -S /boot/vmlinuz-*' show on your system?

Revision history for this message
Brad Figg (brad-figg) wrote :

$ dpkg -S /boot/vmlinuz-*
linux-image-4.17.0-2-generic: /boot/vmlinuz-4.17.0-2-generic
linux-image-4.17.0-4-generic: /boot/vmlinuz-4.17.0-4-generic
linux-image-4.17.0-5-generic: /boot/vmlinuz-4.17.0-5-generic
linux-image-4.17.0-6-generic: /boot/vmlinuz-4.17.0-6-generic
linux-image-4.17.0-7-generic: /boot/vmlinuz-4.17.0-7-generic
linux-image-4.18.0-6-generic: /boot/vmlinuz-4.18.0-6-generic
linux-image-4.18.0-7-generic: /boot/vmlinuz-4.18.0-7-generic

Revision history for this message
Steve Langasek (vorlon) wrote :

These are the correct packages to be providing the signed versions of these files from the Canonical archive, and https://launchpad.net/ubuntu/+source/linux-signed/4.17.0-7.8/+build/15229294 shows that /boot/vmlinuz-4.17.0-7-generic does correctly originate with the linux-signed source package.

Can you attach /boot/vmlinuz-4.17.0-7-generic here for direct inspection?

Revision history for this message
Adam Conrad (adconrad) wrote :

My guess is that Brad's been getting all his kernels from the ckt PPA, which means they'd all have snakeoil sigs on them instead of the archive sig. In this case, "linux-image-4.17.0-6-generic" and "linux-image-4.17.0-6-generic" aren't the same thing, cause linux-signed binaries are rebuilt when we copy to the archive.

Disabling the ckt PPA and doing an "apt-get --reinstall install <list of packages above>" will probably fix it.

In future, I imagine kernel team folks might want to add their PPA's EFI signing key to MOK on systems where they're likely to run PPA kernels.

Revision history for this message
Adam Conrad (adconrad) wrote :

Err, I'll note the reinstall trick won't work for the old kernels we've removed from the archive, but testing with 4.17-9, which is still published, should prove the theory.

Revision history for this message
Steve Langasek (vorlon) wrote : Re: [Bug 1789918] Re: /boot/vmlinux-4.17 has invalid signature

On Thu, Aug 30, 2018 at 05:21:16PM -0000, Adam Conrad wrote:
> My guess is that Brad's been getting all his kernels from the ckt PPA,
> which means they'd all have snakeoil sigs on them instead of the archive
> sig. In this case, "linux-image-4.17.0-6-generic" and "linux-
> image-4.17.0-6-generic" aren't the same thing, cause linux-signed
> binaries are rebuilt when we copy to the archive.

> Disabling the ckt PPA and doing an "apt-get --reinstall install <list of
> packages above>" will probably fix it.

> In future, I imagine kernel team folks might want to add their PPA's EFI
> signing key to MOK on systems where they're likely to run PPA kernels.

Yes. Having the exact vmlinuz binary attached to this bug report will let
us confirm this.

Revision history for this message
Brad Figg (brad-figg) wrote : Re: /boot/vmlinux-4.17 has invalid signature

I removed the pointer to the ckt/unstable ppa and purged all of the 4.18 kernels. I then installed the latest 4.17 kernel from -updates. That kernel, 4.17.0-9.10 now boots just fine with secure boot enabled. It looks like I did have more kernels installed from the ckt ppas than I thought I had.

Revision history for this message
Brad Figg (brad-figg) wrote :
Revision history for this message
Steve Langasek (vorlon) wrote :

$ sbattach --detach detached-sig ./vmlinuz-4.17.0-7-generic
$ openssl pkcs7 -in detached-sig -inform DER -print_certs
subject=/CN=PPA canonical-kernel-team bootstrap
issuer=/CN=PPA canonical-kernel-team bootstrap
-----BEGIN CERTIFICATE-----
MIIDLzCCAhegAwIBAgIJALAA1ykifR9iMA0GCSqGSIb3DQEBCwUAMC4xLDAqBgNV
BAMMI1BQQSBjYW5vbmljYWwta2VybmVsLXRlYW0gYm9vdHN0cmFwMB4XDTE2MDYz
MDE3MjI0NVoXDTI2MDYyODE3MjI0NVowLjEsMCoGA1UEAwwjUFBBIGNhbm9uaWNh
bC1rZXJuZWwtdGVhbSBib290c3RyYXAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDHr2awtaHArh/VCMV+o3yVwIz4tQ9j8CY4Al2UBwOY2+N2S9Qjg4uz
7mcfJiASEal6I2XBgq7FN8R9Qkdud9Dy6Q0uRdgTMnncy0mwbUTonR/FFk2pMDZ0
+T/riNheiGgnhFsMIHFUkrrujKiO22C0K75OWrkqnwZg7rFiBaXEH8bOTXAiH6K1
I56wOgkV83+mnTTOYs0TzJxwqpBVQyD3Nu35KxDWwbe7mJtiNA5qbaIjdaDxfbfN
nLdV8uhVkOBiaM7c/0AvTZMpuqknA201obDO1LO0Dz6+MrTA2u7JVPaCaXi70D4E
pFw4RAEgwTujRI1GgRh80VamV6fGK3//AgMBAAGjUDBOMB0GA1UdDgQWBBTJCyC/
/VAHgSo/zK8YQE5ib/pOujAfBgNVHSMEGDAWgBTJCyC//VAHgSo/zK8YQE5ib/pO
ujAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCTDTSPO174e5z0dk+q
4GPEDGMUZrgaUmuGIvlhFpurzDDmM0EcaEvQoer/zkP8MMSWaUwPUXp02Oh6hoNM
YDHe/mY8n/bY02qND/jjIyY6mIK6B7mKmT6O7kSGzgTWN4CNoBntkpjXplwYknDi
+XwDAxqryCzHIpNstD+klxUGURrZnqdInJIhKjP7KX+pkbnXTgA2SmHGQbjNZi90
vtrIfIhWUny41pX59D57p4MtJ3GjUySrn2y/tn1G8wI92pxihy5BTg16KVeUJeoy
pWa9vwIpDqtVA3sHCyHvR2v8V0oXVM86t+eWEhzA0NHDuMWp8qzAQOl7APH/kNrw
uVoh
-----END CERTIFICATE-----
$

Thanks, this confirms that the kernel you have installed came from the ckt ppa, and not from the archive.

So it is not a bug that grub fails to boot this kernel; though we should revisit whether we could have detected this case at the time grub was upgraded and avoid installing the new bootloader in the case that all your kernels are signed but with a key not trusted by the firmware.

This was discussed in https://code.launchpad.net/~juliank/grub/+git/ubuntu/+merge/345403/comments/909708 and at the time it sounded like it was infeasible. I think we need to take another run at it.

Revision history for this message
Steve Langasek (vorlon) wrote :

Note that 'mokutil --list-enrolled' may only present keys as text output unsuitable for feeding into sbverify, but 'mokutil --export' will export each key as a separate file.

summary: - /boot/vmlinux-4.17 has invalid signature
+ grub2 signed kernel enforcement doesn't check on upgrade that signatures
+ are from trusted keys
Francis Ginther (fginther)
tags: added: id-5b88580cdfde156e4d27cc95
Mathieu Trudel-Lapierre (cyphermox)
Changed in grub2 (Ubuntu):
status: New → Triaged
importance: Undecided → High
Changed in mokutil (Ubuntu):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Mathieu Trudel-Lapierre (cyphermox)
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

mokutil now allows exporting the various keys, we'll still need to integrate this with grub to check for what signs the kernels (and check for blacklists)

Changed in mokutil (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

I've been working on fixing this; code is here:

https://code.launchpad.net/~ubuntu-core-dev/grub/+git/ubuntu/+merge/361589

I'll finish testing that it all works correctly, installing unstable kernels, and then upload to disco and proceed with preparing the SRUs.

Mathieu Trudel-Lapierre (cyphermox)
Changed in grub2 (Ubuntu):
status: Triaged → In Progress
assignee: nobody → Mathieu Trudel-Lapierre (cyphermox)
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Adding block-proposed for one last test run in -proposed.

tags: added: block-proposed
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Testing looks good; removing block-proposed.

Kernels are checked as expected, a custom kernel signed with a custom but known key is let through.

tags: removed: block-proposed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2 - 2.02+dfsg1-5ubuntu10

---------------
grub2 (2.02+dfsg1-5ubuntu10) disco; urgency=medium

  * debian/grub-check-signatures: check kernel signatures against keys known
    in firmware, in case a kernel is signed but not using a key that will pass
    validation, such as when using kernels coming from a PPA. (LP: #1789918)

 -- Mathieu Trudel-Lapierre <email address hidden> Mon, 21 Jan 2019 09:34:36 -0500

Changed in grub2 (Ubuntu):
status: In Progress → Fix Released
Mathieu Trudel-Lapierre (cyphermox)
description: updated
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Brad, or anyone else affected,

Accepted grub2 into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2/2.02+dfsg1-5ubuntu8.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in grub2 (Ubuntu Cosmic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-cosmic
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Brad, or anyone else affected,

Accepted grub2-signed into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-signed/1.110.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in grub2 (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed-bionic
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Brad, or anyone else affected,

Accepted grub2 into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2/2.02-2ubuntu8.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Brad, or anyone else affected,

Accepted grub2-signed into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-signed/1.93.11 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :
Download full text (3.2 KiB)

Verification-done on bionic with grub2 / grub2-signed:

iF grub-efi-amd64 2.02-2ubuntu8.10 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 version)
ii grub-efi-amd64-bin 2.02-2ubuntu8.10 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 binaries)
ii grub-efi-amd64-signed 1.93.11+2.02-2ubuntu8.10 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 version, signed)

Forcing an unsigned copy of the kernel, or one signed by an unknown key leads to the system failing to upgrade, as expected:

ubuntu@ubuntu:/boot$ sudo cp vmlinuz-4.15.0-44-generic vmlinuz-4.15.0-44-matt
ubuntu@ubuntu:/boot$ sudo sb
sbattach sbkeysync sbsiglist sbsign sbvarsign sbverify
ubuntu@ubuntu:/boot$ sudo sbattach --remove vmlinuz-4.15.0-44-matt

ubuntu@ubuntu:/boot$ sudo apt install --reinstall grub-efi-amd64
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
Need to get 47.0 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 grub-efi-amd64 amd64 2.02-2ubuntu8.10 [47.0 kB]
Fetched 47.0 kB in 0s (112 kB/s)
Preconfiguring packages ...
(Reading database ... 66920 files and directories currently installed.)
Preparing to unpack .../grub-efi-amd64_2.02-2ubuntu8.10_amd64.deb ...
Unpacking grub-efi-amd64 (2.02-2ubuntu8.10) over (2.02-2ubuntu8.10) ...
Setting up grub-efi-amd64 (2.02-2ubuntu8.10) ...
/boot/vmlinuz-4.15.0-44-matt is unsigned.
E: Your kernels are not signed with a key known to your firmware. This system will fail to boot in a Secure Boot environment.
dpkg: error processing package grub-efi-amd64 (--configure):
 installed grub-efi-amd64 package post-installation script subprocess returned error exit status 1
E: Sub-process /usr/bin/dpkg returned an error code (1)

ubuntu@ubuntu:~$ sudo apt install --reinstall grub-efi-amd64
[sudo] password for ubuntu:
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
Need to get 0 B/47.0 kB of archives.
After this operation, 0 B of additional disk space will be used.
Preconfiguring packages ...
(Reading database ... 66920 files and directories currently installed.)
Preparing to unpack .../grub-efi-amd64_2.02-2ubuntu8.10_amd64.deb ...
Unpacking grub-efi-amd64 (2.02-2ubuntu8.10) over (2.02-2ubuntu8.10) ...
Setting up grub-efi-amd64 (2.02-2ubuntu8.10) ...
/boot/vmlinuz-4.15.0-44-matt is signed, but using an unknown key:
        Subject: CN = PPA cyphermox efi
E: Your kernels are not signed with a key known to your firmware. This system will fail to boot in a Secure Boot environment.
dpkg: error processing package grub-efi-amd64 (--configure):
 installed grub-efi-amd64 package post-installation script subprocess returned error exit status 1
Errors were encountered while processing:
 grub-efi-amd64
E: Sub-process /usr/bin/dpkg returned an error code (1)

And a properly signed kernel obviously passes validation with no issues;...

Read more...

tags: added: verification-done-bionic
removed: verification-needed-bionic
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Verification-done on cosmic with grub2 / grub2-signed.

Forcing an unsigned copy of the kernel, or one signed by an unknown key leads to the system failing to upgrade, as expected:

ubuntu@ubuntu:~$ dpkg -l grub-efi\* | grep ii | awk '{ print $2" "$3 }'
grub-efi-amd64 2.02+dfsg1-5ubuntu8.1
grub-efi-amd64-bin 2.02+dfsg1-5ubuntu8.1
grub-efi-amd64-signed 1.110.1+2.02+dfsg1-5ubuntu8.1
ubuntu@ubuntu:~$ sudo apt install --reinstall grub-efi-amd64-signed
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
Need to get 295 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://us.archive.ubuntu.com/ubuntu cosmic-proposed/main amd64 grub-efi-amd64-signed amd64 1.110.1+2.02+dfsg1-5ubuntu8.1 [295 kB]
Fetched 295 kB in 0s (742 kB/s)
(Reading database ... 106062 files and directories currently installed.)
Preparing to unpack .../grub-efi-amd64-signed_1.110.1+2.02+dfsg1-5ubuntu8.1_amd64.deb ...
Unpacking grub-efi-amd64-signed (1.110.1+2.02+dfsg1-5ubuntu8.1) over (1.110.1+2.02+dfsg1-5ubuntu8.1) ...
Setting up grub-efi-amd64-signed (1.110.1+2.02+dfsg1-5ubuntu8.1) ...
/boot/vmlinuz-4.18.0-14-matt is unsigned.
E: Your kernels are not signed with a key known to your firmware. This system will fail to boot in a Secure Boot environment.
dpkg: error processing package grub-efi-amd64-signed (--configure):
 installed grub-efi-amd64-signed package post-installation script subprocess returned error exit status 1
Errors were encountered while processing:
 grub-efi-amd64-signed
E: Sub-process /usr/bin/dpkg returned an error code (1)
ubuntu@ubuntu:~$
ubuntu@ubuntu:~$ sudo sbsign --key ~/uefi-keys/uefi.
uefi.crt uefi.key
ubuntu@ubuntu:~$ sudo sbsign --key ~/uefi-keys/uefi.key --cert ~/uefi-keys/uefi.crt /boot/vmlinuz-4.18.0-14-matt
ubuntu@ubuntu:~$ sudo apt install grub-efi-amd64-signed
Reading package lists... Done
Building dependency tree
Reading state information... Done
grub-efi-amd64-signed is already the newest version (1.110.1+2.02+dfsg1-5ubuntu8.1).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n]
Setting up grub-efi-amd64-signed (1.110.1+2.02+dfsg1-5ubuntu8.1) ...
/boot/vmlinuz-4.18.0-14-matt.signed is signed, but using an unknown key:
        Subject: CN = PPA cyphermox efi
/boot/vmlinuz-4.18.0-14-matt is unsigned.
E: Your kernels are not signed with a key known to your firmware. This system will fail to boot in a Secure Boot environment.
dpkg: error processing package grub-efi-amd64-signed (--configure):
 installed grub-efi-amd64-signed package post-installation script subprocess returned error exit status 1
Errors were encountered while processing:
 grub-efi-amd64-signed
E: Sub-process /usr/bin/dpkg returned an error code (1)

tags: added: verification-done-cosmic
removed: verification-needed verification-needed-cosmic
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for grub2 has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2 - 2.02+dfsg1-5ubuntu8.1

---------------
grub2 (2.02+dfsg1-5ubuntu8.1) cosmic; urgency=medium

  [ Mathieu Trudel-Lapierre ]
  * debian/grub-check-signatures: check kernel signatures against keys known
    in firmware, in case a kernel is signed but not using a key that will pass
    validation, such as when using kernels coming from a PPA. (LP: #1789918)
  * debian/patches/mkconfig_leave_breadcrumbs.patch: make sure grub-mkconfig
    leaves a trace of what files were sourced to help generate the config
    we're building. (LP: #1812863)

  [ Steve Langasek ]
  * debian/patches/quick-boot-lvm.patch: If we don't have writable
    grubenv and we're on EFI, always show the menu. Closes LP: #1800722.

 -- Mathieu Trudel-Lapierre <email address hidden> Tue, 22 Jan 2019 09:57:07 -0500

Changed in grub2 (Ubuntu Cosmic):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2 - 2.02-2ubuntu8.10

---------------
grub2 (2.02-2ubuntu8.10) bionic; urgency=medium

  [ Mathieu Trudel-Lapierre ]
  * debian/grub-check-signatures: check kernel signatures against keys known
    in firmware, in case a kernel is signed but not using a key that will pass
    validation, such as when using kernels coming from a PPA. (LP: #1789918)
  * debian/patches/mkconfig_leave_breadcrumbs.patch: make sure grub-mkconfig
    leaves a trace of what files were sourced to help generate the config
    we're building. (LP: #1812863)

  [ Steve Langasek ]
  * debian/patches/quick-boot-lvm.patch: If we don't have writable
    grubenv and we're on EFI, always show the menu. Closes LP: #1800722.

 -- Mathieu Trudel-Lapierre <email address hidden> Wed, 09 Jan 2019 14:04:09 -0500

Changed in grub2 (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Brad, or anyone else affected,

Accepted grub2 into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2/2.02~beta2-9ubuntu1.17 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in grub2 (Ubuntu Trusty):
status: New → Fix Committed
tags: added: verification-needed verification-needed-trusty
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Brad, or anyone else affected,

Accepted grub2-signed into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-signed/1.34.19 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Verification-done on trusty:

ii grub-common 2.02~beta2-9ubuntu1.17 amd64 GRand Unified Bootloader (common files)
ii grub-efi-amd64 2.02~beta2-9ubuntu1.17 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 version)
ii grub-efi-amd64-bin 2.02~beta2-9ubuntu1.17 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 binaries)
ii grub-efi-amd64-signed 1.34.19+2.02~beta2-9ubuntu1.17 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 version, signed)
ii grub-legacy-ec2 0.7.5-0ubuntu1.23 all Handles update-grub for ec2 instances
ii grub-pc-bin 2.02~beta2-9ubuntu1.17 amd64 GRand Unified Bootloader, version 2 (PC/BIOS binaries)
ii grub2-common 2.02~beta2-9ubuntu1.17 amd64 GRand Unified Bootloader (common files for version 2)

Kernel signatures are correctly enforced, but a postinst check is missing in grub2-signed to check signatures before applying the next update (missing in grub2-signed 1.34.19)

tags: added: verification-done-trusty
removed: verification-needed-trusty
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Brad, or anyone else affected,

Accepted grub2-signed into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-signed/1.34.20 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

tags: added: verification-needed-trusty
removed: verification-done-trusty
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Verification-done on trusty:

ubuntu@dashing-moccasin:~$ apt-cache policy grub-efi-amd64-signed
grub-efi-amd64-signed:
  Installed: 1.34.20+2.02~beta2-9ubuntu1.17
  Candidate: 1.34.20+2.02~beta2-9ubuntu1.17
  Package pin: 1.34.20+2.02~beta2-9ubuntu1.17
  Version table:
 *** 1.34.20+2.02~beta2-9ubuntu1.17 500
         -1 http://archive.ubuntu.com/ubuntu/ trusty-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     1.34.18+2.02~beta2-9ubuntu1.16 500
        500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
     1.34.7+2.02~beta2-9ubuntu1.6 500
        500 http://archive.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
     1.34+2.02~beta2-9 500
        500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
ubuntu@dashing-moccasin:~$ apt-cache policy grub-efi-amd64
grub-efi-amd64:
  Installed: 2.02~beta2-9ubuntu1.17
  Candidate: 2.02~beta2-9ubuntu1.17
  Package pin: 2.02~beta2-9ubuntu1.17
  Version table:
 *** 2.02~beta2-9ubuntu1.17 500
         -1 http://archive.ubuntu.com/ubuntu/ trusty-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     2.02~beta2-9ubuntu1.16 500
        500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
     2.02~beta2-9ubuntu1.6 500
        500 http://archive.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
     2.02~beta2-9 500
        500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

Verified that now the kernel signature is correctly enforced by grub, and if no kernel is signed / signed by a trusted key, the upgrade will correctly be failed to avoid leaving the system unbootable.

tags: added: verification-done-trusty
removed: verification-needed verification-needed-trusty
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2 - 2.02~beta2-9ubuntu1.17

---------------
grub2 (2.02~beta2-9ubuntu1.17) trusty; urgency=medium

  * debian/grub-check-signatures: check kernel signatures against keys known
    in firmware, in case a kernel is signed but not using a key that will pass
    validation, such as when using kernels coming from a PPA. (LP: #1789918)
  * debian/patches/linuxefi_disable_sb_fallback.patch: Disallow unsigned
    kernels if UEFI Secure Boot is enabled. If UEFI Secure Boot is enabled
    and kernel signature verification fails, do not boot the kernel. Patch
    from Linn Crosetto. (LP: #1401532)

 -- Mathieu Trudel-Lapierre <email address hidden> Fri, 22 Mar 2019 11:36:54 -0400

Changed in grub2 (Ubuntu Trusty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers