apport information ** Attachment added: "ProcEnviron.txt" https://bugs.launchpad.net/bugs/1798384/+attachment/5202420/+files/ProcEnviron.txt
** Description changed: The grub 2.02 in bionic still has the insecure commands which "linux" and "initrd", it allows to load unsigned kernel and initrd. Even BIOS has forced the secure boot, when grub boot menu shows and stay few seconds and it allows to enter to grub command-line by press 'c'. In the grub command-line, that's easy to load unsigned kernel by 'linux' and 'initrd' commands. Suggest to remove the 'linux' and 'initrd' from grub commands list. - --- + + --- + Reproduce steps: + 1. Install an unsigned kernel + 2. Enable secure boot from BIOS + 3. Reboot system an boot normally to make sure unsigned kernel boot fails (grub.cfg loads kerenl by "linuxefi" and "initrdefi") + error: /boot/vmlinuz-4.15.0-1014 has invalied signature + error: you need to load the kernel first. + + Press any key to continue... + 4. After few seconds, system will back to grub menu. Now press 'c' to enter grub command line mode + 5. Enter the following grub commands to load unsigned kernel and initrd and boot into unsigned kernel + grub> linux (hd0,gpt3)/boot/vmlinuz-4.15.0-1014 + grub> initrd (hd0,gpt3)/boot/initrd.img-4.15.0-1014 + grub> boot + + Expect result: + Block the unsigned kernel to boot + + Actual result: + Boot unsigned kernel successfully + + + --- ProblemType: Bug .proc.sys.kernel.moksbstate_disabled: Error: [Errno 2] No such file or directory: '/proc/sys/kernel/moksbstate_disabled' ApportVersion: 2.20.9-0ubuntu7.4 Architecture: amd64 DistroRelease: Ubuntu 18.04 EFITables: - Oct 18 06:31:42 dell-edge-iot kernel: efi: EFI v2.70 by American Megatrends - Oct 18 06:31:42 dell-edge-iot kernel: efi: ACPI 2.0=0x8b7e9000 ACPI=0x8b7e9000 SMBIOS=0xf0000 SMBIOS 3.0=0xf0020 ESRT=0x8bc4d118 MEMATTR=0x87951018 - Oct 18 06:31:42 dell-edge-iot kernel: secureboot: Secure boot disabled - Oct 18 06:31:42 dell-edge-iot kernel: esrt: Reserving ESRT space from 0x000000008bc4d118 to 0x000000008bc4d150. + Oct 18 06:31:42 dell-edge-iot kernel: efi: EFI v2.70 by American Megatrends + Oct 18 06:31:42 dell-edge-iot kernel: efi: ACPI 2.0=0x8b7e9000 ACPI=0x8b7e9000 SMBIOS=0xf0000 SMBIOS 3.0=0xf0020 ESRT=0x8bc4d118 MEMATTR=0x87951018 + Oct 18 06:31:42 dell-edge-iot kernel: secureboot: Secure boot disabled + Oct 18 06:31:42 dell-edge-iot kernel: esrt: Reserving ESRT space from 0x000000008bc4d118 to 0x000000008bc4d150. Package: shim-signed 1.37~18.04.2+15+1533136590.3beb971-0ubuntu1 PackageArchitecture: amd64 ProcVersionSignature: Ubuntu 4.15.0-1014.18-caracalla 4.15.18 Tags: bionic uec-images Uname: Linux 4.15.0-1014-caracalla x86_64 UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: adm cdrom dip lxd plugdev sudo _MarkForUpload: True -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1798384 Title: Grub allows to load unsigned kernel even BIOS enabled secure boot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1798384/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
