2018-08-30 14:42:45 |
Brad Figg |
bug |
|
|
added bug |
2018-08-30 14:44:51 |
Brad Figg |
tags |
|
apport-collected cosmic wayland-session |
|
2018-08-30 14:44:52 |
Brad Figg |
description |
This is on a cosmic system. I wanted to test the 4.18 kernel in the kernel teams unstable ppa. I enabled that ppa, then ran "sudo apt-get update; sudo apt-get dist-upgrade" and then rebooted. Upon boot grub started reporting that none of the kernels I have installed have valid signatures. These were working just fine before this update. The only remedy was to disable secure boot in my bios. |
This is on a cosmic system. I wanted to test the 4.18 kernel in the kernel teams unstable ppa. I enabled that ppa, then ran "sudo apt-get update; sudo apt-get dist-upgrade" and then rebooted. Upon boot grub started reporting that none of the kernels I have installed have valid signatures. These were working just fine before this update. The only remedy was to disable secure boot in my bios.
---
ProblemType: Bug
ApportVersion: 2.20.10-0ubuntu9
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
DistroRelease: Ubuntu 18.10
EcryptfsInUse: Yes
InstallationDate: Installed on 2017-08-14 (380 days ago)
InstallationMedia: Ubuntu 17.10 "Artful Aardvark" - Alpha amd64 (20170812)
Package: grub2 (not installed)
ProcEnviron:
TERM=tmux-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcVersionSignature: Ubuntu 4.18.0-7.8-generic 4.18.5
Tags: wayland-session cosmic
Uname: Linux 4.18.0-7-generic x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm cdrom dip kvm libvirt lpadmin plugdev sambashare sudo
_MarkForUpload: True |
|
2018-08-30 14:44:53 |
Brad Figg |
attachment added |
|
ProcCpuinfoMinimal.txt https://bugs.launchpad.net/bugs/1789918/+attachment/5182679/+files/ProcCpuinfoMinimal.txt |
|
2018-08-30 14:57:59 |
Steve Langasek |
bug |
|
|
added subscriber Steve Langasek |
2018-08-30 19:10:59 |
Brad Figg |
attachment added |
|
vmlinuz-4.17.0-7-generic https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1789918/+attachment/5182766/+files/vmlinuz-4.17.0-7-generic |
|
2018-08-30 20:50:34 |
Steve Langasek |
summary |
/boot/vmlinux-4.17 has invalid signature |
grub2 signed kernel enforcement doesn't check on upgrade that signatures are from trusted keys |
|
2018-08-31 12:23:02 |
Francis Ginther |
tags |
apport-collected cosmic wayland-session |
apport-collected cosmic id-5b88580cdfde156e4d27cc95 wayland-session |
|
2018-10-03 14:50:49 |
Mathieu Trudel-Lapierre |
grub2 (Ubuntu): status |
New |
Triaged |
|
2018-10-03 14:50:50 |
Mathieu Trudel-Lapierre |
grub2 (Ubuntu): importance |
Undecided |
High |
|
2018-10-03 14:50:57 |
Mathieu Trudel-Lapierre |
bug task added |
|
mokutil (Ubuntu) |
|
2018-10-03 14:51:03 |
Mathieu Trudel-Lapierre |
mokutil (Ubuntu): status |
New |
In Progress |
|
2018-10-03 14:51:05 |
Mathieu Trudel-Lapierre |
mokutil (Ubuntu): importance |
Undecided |
High |
|
2018-10-03 14:51:08 |
Mathieu Trudel-Lapierre |
mokutil (Ubuntu): assignee |
|
Mathieu Trudel-Lapierre (cyphermox) |
|
2018-10-17 01:26:50 |
Mathieu Trudel-Lapierre |
mokutil (Ubuntu): status |
In Progress |
Fix Released |
|
2019-01-11 20:10:50 |
Mathieu Trudel-Lapierre |
grub2 (Ubuntu): status |
Triaged |
In Progress |
|
2019-01-11 20:10:52 |
Mathieu Trudel-Lapierre |
grub2 (Ubuntu): assignee |
|
Mathieu Trudel-Lapierre (cyphermox) |
|
2019-01-21 14:36:38 |
Mathieu Trudel-Lapierre |
tags |
apport-collected cosmic id-5b88580cdfde156e4d27cc95 wayland-session |
apport-collected block-proposed cosmic id-5b88580cdfde156e4d27cc95 wayland-session |
|
2019-01-22 14:26:17 |
Mathieu Trudel-Lapierre |
tags |
apport-collected block-proposed cosmic id-5b88580cdfde156e4d27cc95 wayland-session |
apport-collected cosmic id-5b88580cdfde156e4d27cc95 wayland-session |
|
2019-01-22 15:25:06 |
Launchpad Janitor |
grub2 (Ubuntu): status |
In Progress |
Fix Released |
|
2019-01-22 19:00:08 |
Mathieu Trudel-Lapierre |
description |
This is on a cosmic system. I wanted to test the 4.18 kernel in the kernel teams unstable ppa. I enabled that ppa, then ran "sudo apt-get update; sudo apt-get dist-upgrade" and then rebooted. Upon boot grub started reporting that none of the kernels I have installed have valid signatures. These were working just fine before this update. The only remedy was to disable secure boot in my bios.
---
ProblemType: Bug
ApportVersion: 2.20.10-0ubuntu9
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
DistroRelease: Ubuntu 18.10
EcryptfsInUse: Yes
InstallationDate: Installed on 2017-08-14 (380 days ago)
InstallationMedia: Ubuntu 17.10 "Artful Aardvark" - Alpha amd64 (20170812)
Package: grub2 (not installed)
ProcEnviron:
TERM=tmux-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcVersionSignature: Ubuntu 4.18.0-7.8-generic 4.18.5
Tags: wayland-session cosmic
Uname: Linux 4.18.0-7-generic x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm cdrom dip kvm libvirt lpadmin plugdev sambashare sudo
_MarkForUpload: True |
[Impact]
This affects UEFI users upgrading grub, especially when upgrading from an earlier release or when using custom kernels (signed by PPA keys, or unsigned).
[Test case]
1) Install a custom / PPA kernel, or copy an existing kernel into an unsigned version of it:
sudo cp /boot/vmlinuz-4.11.0-11-generic /boot/vmlinuz-4.11.0-11-lp1789918
2) Make sure the kernel is unsigned or signed with an unknown key (in this case, remove signature for convenience):
sudo sbattach --remove /boot/vmlinuz-4.11.0-11-lp1789918
3) Upgrade grub2.
4) Validate that the upgrade fails, and complains about incorrectly signed kernels for the new "vmlinuz-4.11.0-11-lp1789918", or other incorrectly signed kernels present, newer than the currently running kernel.
5) Run /usr/share/grub/grub-check-signatures. Validate the same error appears as through the upgrade process.
[Regression potential]
Relatively low risk of failure. This only affects the upgrade process maintainer scripts, which run an additional script to fail the upgrade if it is detected that a newer kernel than the one currently running would be invalid for Secure Boot. This already catches invalid signatures and unsigned kernels, and mitigates against broken firmwares by shipping the certificate for the most common kernel signatures (the Canonical cert). Upgrades should already have been migrating users to forcing the signed version of kernels to be installed when the official pacakges are being used.
Watch for upgrade failures due to false positives (correcly signed kernels that are detected as signed by unknown keys) or other failure modes of the upgrade of the grub packages. Grub functionality at boot has been unchanged.
[Background information]
Secure Boot will soon enforce that kernels are properly signed to be able to boot them. Catch systems early where this upgrade would break boot for our users, to ensure they can correct the situation while the system is running.
---
This is on a cosmic system. I wanted to test the 4.18 kernel in the kernel teams unstable ppa. I enabled that ppa, then ran "sudo apt-get update; sudo apt-get dist-upgrade" and then rebooted. Upon boot grub started reporting that none of the kernels I have installed have valid signatures. These were working just fine before this update. The only remedy was to disable secure boot in my bios.
---
ProblemType: Bug
ApportVersion: 2.20.10-0ubuntu9
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
DistroRelease: Ubuntu 18.10
EcryptfsInUse: Yes
InstallationDate: Installed on 2017-08-14 (380 days ago)
InstallationMedia: Ubuntu 17.10 "Artful Aardvark" - Alpha amd64 (20170812)
Package: grub2 (not installed)
ProcEnviron:
TERM=tmux-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcVersionSignature: Ubuntu 4.18.0-7.8-generic 4.18.5
Tags: wayland-session cosmic
Uname: Linux 4.18.0-7-generic x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm cdrom dip kvm libvirt lpadmin plugdev sambashare sudo
_MarkForUpload: True |
|
2019-01-22 19:45:44 |
Brian Murray |
grub2 (Ubuntu Cosmic): status |
New |
Fix Committed |
|
2019-01-22 19:45:46 |
Brian Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2019-01-22 19:45:49 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
2019-01-22 19:45:52 |
Brian Murray |
tags |
apport-collected cosmic id-5b88580cdfde156e4d27cc95 wayland-session |
apport-collected cosmic id-5b88580cdfde156e4d27cc95 verification-needed verification-needed-cosmic wayland-session |
|
2019-01-22 19:54:48 |
Brian Murray |
grub2 (Ubuntu Bionic): status |
New |
Fix Committed |
|
2019-01-22 19:54:52 |
Brian Murray |
tags |
apport-collected cosmic id-5b88580cdfde156e4d27cc95 verification-needed verification-needed-cosmic wayland-session |
apport-collected cosmic id-5b88580cdfde156e4d27cc95 verification-needed verification-needed-bionic verification-needed-cosmic wayland-session |
|
2019-01-28 22:17:49 |
Mathieu Trudel-Lapierre |
tags |
apport-collected cosmic id-5b88580cdfde156e4d27cc95 verification-needed verification-needed-bionic verification-needed-cosmic wayland-session |
apport-collected cosmic id-5b88580cdfde156e4d27cc95 verification-done-bionic verification-needed verification-needed-cosmic wayland-session |
|
2019-01-30 15:03:20 |
Mathieu Trudel-Lapierre |
tags |
apport-collected cosmic id-5b88580cdfde156e4d27cc95 verification-done-bionic verification-needed verification-needed-cosmic wayland-session |
apport-collected cosmic id-5b88580cdfde156e4d27cc95 verification-done-bionic verification-done-cosmic wayland-session |
|
2019-01-31 08:58:59 |
Łukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2019-01-31 08:59:12 |
Launchpad Janitor |
grub2 (Ubuntu Cosmic): status |
Fix Committed |
Fix Released |
|
2019-01-31 09:16:28 |
Launchpad Janitor |
grub2 (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
2019-03-22 19:40:41 |
Steve Langasek |
grub2 (Ubuntu Trusty): status |
New |
Fix Committed |
|
2019-03-22 19:40:44 |
Steve Langasek |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2019-03-22 19:40:51 |
Steve Langasek |
tags |
apport-collected cosmic id-5b88580cdfde156e4d27cc95 verification-done-bionic verification-done-cosmic wayland-session |
apport-collected cosmic id-5b88580cdfde156e4d27cc95 verification-done-bionic verification-done-cosmic verification-needed verification-needed-trusty wayland-session |
|
2019-04-01 16:05:20 |
Mathieu Trudel-Lapierre |
tags |
apport-collected cosmic id-5b88580cdfde156e4d27cc95 verification-done-bionic verification-done-cosmic verification-needed verification-needed-trusty wayland-session |
apport-collected cosmic id-5b88580cdfde156e4d27cc95 verification-done-bionic verification-done-cosmic verification-done-trusty verification-needed wayland-session |
|
2019-04-01 16:13:33 |
Steve Langasek |
tags |
apport-collected cosmic id-5b88580cdfde156e4d27cc95 verification-done-bionic verification-done-cosmic verification-done-trusty verification-needed wayland-session |
apport-collected cosmic id-5b88580cdfde156e4d27cc95 verification-done-bionic verification-done-cosmic verification-needed verification-needed-trusty wayland-session |
|
2019-04-01 21:17:47 |
Mathieu Trudel-Lapierre |
tags |
apport-collected cosmic id-5b88580cdfde156e4d27cc95 verification-done-bionic verification-done-cosmic verification-needed verification-needed-trusty wayland-session |
apport-collected cosmic id-5b88580cdfde156e4d27cc95 verification-done-bionic verification-done-cosmic verification-done-trusty wayland-session |
|
2019-04-09 19:37:06 |
Launchpad Janitor |
grub2 (Ubuntu Trusty): status |
Fix Committed |
Fix Released |
|