← Back to team overview

kernel-packages team mailing list archive

[Bug 1528345] Re: grub or kernel update broke Secure Boot by putting grubx64.efi instead of shimx64.efi in EFI boot order


** Also affects: linux (Ubuntu)
   Importance: Undecided
       Status: New

** Changed in: linux (Ubuntu)
   Importance: Undecided => Critical

** Changed in: linux (Ubuntu)
       Status: New => Triaged

** Changed in: grub2 (Ubuntu)
       Status: Confirmed => Triaged

You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.

  grub or kernel update broke Secure Boot by putting grubx64.efi instead
  of shimx64.efi in EFI boot order

Status in One Hundred Papercuts:
Status in grub2 package in Ubuntu:
Status in linux package in Ubuntu:

Bug description:
  I've been running Ubuntu on a Lenovo ThinkPad X240.  I initially
  installed 14.10 when I got the machine in January.  I then upgraded to
  15.04, and on Monday evening (late December 14) I upgraded to 15.10.
  I rebooted once right after the update to make sure some postfix and
  opendkim configuration changes I made worked correctly after

  Then between Monday evening and Friday evening (December 19) there
  were a bunch of system updates that I installed.  On Friday evening I
  decided to reboot to boot into the updated kernel.  (There were also
  grub updates in that interval.)

  When I rebooted, the laptop said:

  Secure Boot
  Image failed to verify with *ACCESS DENIED*
  Press any key to continue.

  See the image (posted by somebody else) of this error in

  I had to disable secure boot to make the system boot.

  Based on the discussion in http://askubuntu.com/questions/710146/how-to-fix-secure-boot-error-image-failed-to-verify-with-access-denied-on-st it appears that the problem is that the updates caused it to try to boot directly to grub (File(\EFI‌​\ubuntu\grubx64.efi)) rather than via the shim (File(\EFI‌​\ubuntu\shimx64.efi)).  I don't know for sure what sequence of events caused that, nor did I verify for certain that it was booting via the shim before.  However, I know that this reboot on Friday was the first time I had a secure boot failure since installing Ubuntu on the laptop (and using only Ubuntu; no other OSes involved) in January.

  I'll attach a list of the system updates that were applied in the
  interval between the successful boot and the failed one from
  /var/log/dpkg.log .  Note that the log is in UTC but my description
  above ("evening", etc., is in UTC-8, so the evening of December 14 is
  actually around 07:00 UTC on December 15).  Note that this log
  contains a grub update, two kernel updates, and the removal of the
  first of those kernel updates via apt-get autoremove.

  ProblemType: Bug
  DistroRelease: Ubuntu 15.10
  Package: grub-common 2.02~beta2-29ubuntu0.2
  ProcVersionSignature: Ubuntu 4.2.0-22.27-generic 4.2.6
  Uname: Linux 4.2.0-22-generic x86_64
  ApportVersion: 2.19.1-0ubuntu5
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Mon Dec 21 15:39:21 2015
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2015-01-25 (330 days ago)
  InstallationMedia: Ubuntu 14.10 "Utopic Unicorn" - Release amd64 (20141022.1)
  SourcePackage: grub2
  UpgradeStatus: Upgraded to wily on 2015-12-15 (6 days ago)

To manage notifications about this bug go to: