Ubuntu
grub2 package

grub is not validating kernel if i embed a GPG public key in grub and sign kernel with GPG private key

Bug #1820296 reported by Rajendra Shardul
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
grub2 (Ubuntu)
Opinion
Undecided
Unassigned

Bug Description

Hello,

I am embedding custom GPG public key in grub and sign (detached) the 4.15.0-46-generic kernel with GPG private key. The grub is not validating the kernel. I am getting an error "/vmlinuz-4.15.0-46-generic has invalid signature".

However this process used to work fine on 4.15.0-45-generic kernel. UEFI used to verify shim (custom SSL signed) and shim (embedded with SSL cert) used to verify grub (signed with custom SSL key). Grub would validate kernel using embeddded custom GPG public key. Kernel would be signed with custom GPG private key.

Is there any commits that went in grub which broke this feature? Is grub no more validating kernel with embedded key in it? Does it always uses UEFI keys to validate kernel? or does it give control to shim to verify the kernel?

Any inputs on this?

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in grub2 (Ubuntu):
status: New → Confirmed
Revision history for this message
Julian Andres Klode (juliank) wrote :

Kernels do have to be signed with UEFI methods, we do not support GPG.

Changed in grub2 (Ubuntu):
status: Confirmed → Opinion
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.