ubuntu server 20.04.5 cannot be installed after enable secure boot

Bug #1990326 reported by shangsong
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
debian-installer (Ubuntu)
Invalid
Undecided
Unassigned
Focal
Confirmed
Critical
Unassigned
shim (Ubuntu)
Invalid
Undecided
Unassigned
Focal
Invalid
Undecided
Unassigned

Bug Description

Reproduce steps
1. Enable secure boot in the UEFI.
2. Fresh install ubuntu server 20.04.5 lts and latest daily build, but it fail with "An unauthorized EFI image is detected, please enroll this EFI image or disable secure boot ...."

Others:
1. Both ubuntu server 18.04.6 and 22.04 can be normal installed.

It seem the key of 20.04.x has been added into the latest UEFI Revocation List File(Release Date: August 12, 2022.https://uefi.org/revocationlistfile/archive).

Revision history for this message
shangsong (shangsong2) wrote :
affects: subiquity (Ubuntu) → shim (Ubuntu)
Revision history for this message
Seth Arnold (seth-arnold) wrote : Bug is not a security issue

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.

information type: Private Security → Public
Steve Langasek (vorlon)
Changed in debian-installer (Ubuntu):
status: New → Invalid
Changed in shim (Ubuntu):
status: New → Invalid
Steve Langasek (vorlon)
Changed in debian-installer (Ubuntu Focal):
importance: Undecided → Critical
Revision history for this message
Steve Langasek (vorlon) wrote :

This is an unfortunate bug caused by the fact that our point release process does not account for the need to update the debian-installer source package to get updated boot assets for the images, and as a result the 20.04.5 point release images despite being built in August 2022 were built with an older shim version from February 2021 that we knew was going to be revoked.

Discussions are in progress for a .6 point release to correct this error.

Steve Langasek (vorlon)
Changed in shim (Ubuntu Focal):
status: New → Invalid
tags: added: rls-kk-incoming
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in debian-installer (Ubuntu Focal):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers