Self-signed kernel is not loaded correctly although being sign with mok-enrolled keys
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
grub2-signed (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
I have a strange problem with secure boot and self-signed kernels. On 20.10 I was able to boot (everything with Secure Boot) both canonical-signed and self-signed kernels. After upgrade to 21.04 loading self-signed kernels doesn't work anymore: I get "vmlinuz has invalid signature" error. The error seems clear enough, but:
- Secure Boot is on and grub loads just fine and loads canonical-signed kernels 100% fine (so it's something about my singing key, right?)
- my custom key seems to be enrolled into mok db just fine
```
root@T495:~# mokutil --test-key /root/mok/MOK.der
mok/MOK.der is already enrolled
```
- image is signed with the same key as checked above with mokutil
```
sudo sbsign --key /root/mok/MOK.priv --cert /root/mok/MOK.pem /boot/vmlinuz-
Image was already signed; adding additional signature
```
Seems a bug in grub, but I don't know how to debug it.
ProblemType: Bug
DistroRelease: Ubuntu 21.04
Package: grub-efi-
ProcVersionSign
Uname: Linux 5.11.0-31-generic x86_64
ApportVersion: 2.20.11-0ubuntu65.1
Architecture: amd64
CasperMD5CheckR
CurrentDesktop: ubuntu:GNOME
Date: Mon Sep 6 10:30:02 2021
InstallationDate: Installed on 2019-12-07 (638 days ago)
InstallationMedia: Ubuntu 19.10 "Eoan Ermine" - Release amd64 (20191017)
SourcePackage: grub2-signed
UpgradeStatus: Upgraded to hirsute on 2021-04-24 (134 days ago)
Status changed to 'Confirmed' because the bug affects multiple users.