[Xenial] Update to kernel 4.4.0-112-generic make the system failed to boot with enabled BIOS SecureBoot mode

Bug #1745740 reported by Taihsiang Ho on 2018-01-27
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
grub2 (Ubuntu)
Undecided
Unassigned
Xenial
Undecided
Unassigned
linux (Ubuntu)
High
Unassigned
Xenial
High
Unassigned

Bug Description

[Description]

After updating from 4.4.0-111 to the latest 4.4.0-112, the system with enabled BIOS SecureBoot mode will fail to boot because of "Operating System Loading signature not found in SecureBoot database" prompted by BIOS (See the attachment picture)

[Steps to Reproduce]

1. Prepare a system installed with 16.04.1 and enabled BIOS SecureBoot mode.
2. Update the system (over the Update manager GUI or "apt-get dist-upgrade")
3. Reboot the system to make the update effective.

[Expected Result]

The system gets ready to use after reboot.

[Actual Result]

The system stops at the BIOS stage with the prompted message "Operating System Loading signature not found in SecureBoot database" prompted by BIOS (See the attachment picture)

[Reproducible Systems]

So far I reproduced this issue on the following machine:

CID 201410-15915 - Dell XPS 13 9343
CID 201610-25147 - Dell OptiPlex 7450 AIO
(potential candidate[1]) - CID 201610-25144 - Dell Precision 5520
(potential candidate) - CID 201606-22338 - Dell XPS 13 9360

[1] "potential candidate" means the system failed to boot after system update but have not identified it was encountered the same issue.

------------------------------------------------------------------

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: linux-image-4.4.0-112-generic 4.4.0-112.135
ProcVersionSignature: Ubuntu 4.4.0-112.135-generic 4.4.98
Uname: Linux 4.4.0-112-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.15
Architecture: amd64
AudioDevicesInUse:
 USER PID ACCESS COMMAND
 /dev/snd/controlC0: tai271828 1742 F.... pulseaudio
 /dev/snd/controlC1: tai271828 1742 F.... pulseaudio
CurrentDesktop: Unity
Date: Sat Jan 27 21:28:25 2018
HibernationDevice: RESUME=UUID=f182f469-555b-4f5d-b3df-c77ccc5d60c8
InstallationDate: Installed on 2017-03-01 (332 days ago)
InstallationMedia: Ubuntu 16.04.1 LTS "Xenial Xerus" - Release amd64 (20160719)
MachineType: Dell Inc. XPS 13 9343
ProcFB: 0 inteldrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.4.0-112-generic.efi.signed root=UUID=d464a83f-1802-468f-bf5c-6c2eb6be441b ro quiet splash vt.handoff=7
RelatedPackageVersions:
 linux-restricted-modules-4.4.0-112-generic N/A
 linux-backports-modules-4.4.0-112-generic N/A
 linux-firmware 1.157.16
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 07/14/2015
dmi.bios.vendor: Dell Inc.
dmi.bios.version: A05
dmi.board.name: 0144PA
dmi.board.vendor: Dell Inc.
dmi.board.version: X04
dmi.chassis.type: 9
dmi.chassis.vendor: Dell Inc.
dmi.modalias: dmi:bvnDellInc.:bvrA05:bd07/14/2015:svnDellInc.:pnXPS139343:pvr:rvnDellInc.:rn0144PA:rvrX04:cvnDellInc.:ct9:cvr:
dmi.product.name: XPS 13 9343
dmi.sys.vendor: Dell Inc.

Taihsiang Ho (taihsiangho) wrote :
description: updated

This change was made by a bot.

Changed in linux (Ubuntu):
status: New → Confirmed
Changed in linux (Ubuntu):
importance: Undecided → High
tags: added: kernel-key pti
Changed in linux (Ubuntu Xenial):
status: New → Triaged
Changed in linux (Ubuntu):
status: Confirmed → Triaged
Changed in linux (Ubuntu Xenial):
importance: Undecided → High
Joseph Salisbury (jsalisbury) wrote :

Can we get versions of grub2/grub2-signed off the box

Joseph Salisbury (jsalisbury) wrote :

This may be a duplicate of bug 1743908

Changed in linux (Ubuntu):
status: Triaged → Incomplete
Changed in linux (Ubuntu Xenial):
status: Triaged → Incomplete
tags: added: kernel-da-key
removed: kernel-key

How was this system installed? Was it installed in BIOS mode and then changed to UEFI?

Is shim-signed correctly installed on the system? Without shim-signed installed and present on the ESP partition (/boot/efi/EFI/ubuntu/bootx64.efi); as well as listed as the BootEntry to load (sudo efibootmgr -v will tell), the system will not be able to boot an image recognized as valid by the Microsoft keys that are usually on these systems.

Changed in grub2 (Ubuntu):
status: New → Incomplete
Brad Figg (brad-figg) on 2019-07-24
tags: added: cscc
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers