kernel-packages team mailing list archive
Mailing list archive
Re: [Bug 1528345] Re: grub or kernel update broke Secure Boot by putting grubx64.efi instead of shimx64.efi in EFI boot order
On Thu, Jan 07, 2016 at 07:14:48PM -0000, Marc Deslauriers wrote:
> Wouldn't the grub2 package simply be held back if the proper version
> required by grub2-signed isn't available?
Not in all cases.
> Why did the grub2-signed binary package get uninstalled during the
This is allowable when running 'apt-get dist-upgrade', which is presumably
how the affected users have been applying updates.
When using update-manager, we have more control to avoid accidental removal
of packages when applying updates. When a user explicitly invokes apt-get,
we don't have control over this.
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
grub or kernel update broke Secure Boot by putting grubx64.efi instead
of shimx64.efi in EFI boot order
Status in One Hundred Papercuts:
Status in grub2 package in Ubuntu:
Status in linux package in Ubuntu:
I've been running Ubuntu on a Lenovo ThinkPad X240. I initially
installed 14.10 when I got the machine in January. I then upgraded to
15.04, and on Monday evening (late December 14) I upgraded to 15.10.
I rebooted once right after the update to make sure some postfix and
opendkim configuration changes I made worked correctly after
Then between Monday evening and Friday evening (December 19) there
were a bunch of system updates that I installed. On Friday evening I
decided to reboot to boot into the updated kernel. (There were also
grub updates in that interval.)
When I rebooted, the laptop said:
Image failed to verify with *ACCESS DENIED*
Press any key to continue.
See the image (posted by somebody else) of this error in
I had to disable secure boot to make the system boot.
Based on the discussion in http://askubuntu.com/questions/710146/how-to-fix-secure-boot-error-image-failed-to-verify-with-access-denied-on-st it appears that the problem is that the updates caused it to try to boot directly to grub (File(\EFI\ubuntu\grubx64.efi)) rather than via the shim (File(\EFI\ubuntu\shimx64.efi)). I don't know for sure what sequence of events caused that, nor did I verify for certain that it was booting via the shim before. However, I know that this reboot on Friday was the first time I had a secure boot failure since installing Ubuntu on the laptop (and using only Ubuntu; no other OSes involved) in January.
I'll attach a list of the system updates that were applied in the
interval between the successful boot and the failed one from
/var/log/dpkg.log . Note that the log is in UTC but my description
above ("evening", etc., is in UTC-8, so the evening of December 14 is
actually around 07:00 UTC on December 15). Note that this log
contains a grub update, two kernel updates, and the removal of the
first of those kernel updates via apt-get autoremove.
DistroRelease: Ubuntu 15.10
Package: grub-common 2.02~beta2-29ubuntu0.2
ProcVersionSignature: Ubuntu 4.2.0-22.27-generic 4.2.6
Uname: Linux 4.2.0-22-generic x86_64
Date: Mon Dec 21 15:39:21 2015
InstallationDate: Installed on 2015-01-25 (330 days ago)
InstallationMedia: Ubuntu 14.10 "Utopic Unicorn" - Release amd64 (20141022.1)
UpgradeStatus: Upgraded to wily on 2015-12-15 (6 days ago)
To manage notifications about this bug go to: