2

Whenever I am updating ubuntu getting following error message. The message is asking me to remove or replace the current kernel version with the signed version.

How to do this?

Below is the message I am getting:

Your system has UEFI Secure Boot enabled in firmware, and the following kernels present on your system are unsigned:

4.19.6

These kernels cannot be verified under Secure Boot. To ensure your system remains bootable, GRUB will not be upgraded on your disk until these kernels are removed or replaced with signed kernels.

Following kernels are right now installed in my machine, which is listed by running command: dpkg --list | grep linux-image

  1. ic linux-image-4.15.0-29-generic 4.15.0-29.31 amd64 Signed kernel image generic
  2. rc linux-image-4.15.0-39-generic 4.15.0-39.42 amd64 Signed kernel image generic
  3. ii linux-image-4.15.0-42-generic 4.15.0-42.45 amd64 Signed kernel image generic
  4. ii linux-image-4.15.0-43-generic 4.15.0-43.46 amd64 Signed kernel image generic
  5. ii linux-image-4.15.0-45-generic 4.15.0-45.48 amd64 Signed kernel image generic
  6. ii linux-image-generic 4.15.0.45.47 amd64 Generic Linux kernel image
  7. ii linux-image-unsigned-4.19.5-041905-generic 4.19.5-041905.201812031110 amd64 Linux kernel image for version 4.19.5 on 64 bit x86 SMP

kernel version I am running, retrieved by running command uname -a:

Linux dipak 4.19.6 #1 SMP Tue Dec 18 10:30:34 IST 2018 x86_64 x86_64 x86_64 GNU/Linux

Ubuntu distrubution version (lsb_release -a):

No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 18.04.2 LTS Release: 18.04 Codename: bionic

Dipak
  • 123
  • 1
    Kernel 4.19 is not from Ubuntu, so it can not be signed by Canonical. Just use the 4.15 kernel, which is signed. I don't know if a signed version of 4.19 exists. You are welcome to look for it, but it's unrelated to Ubuntu. – mikewhatever Feb 20 '19 at 07:01
  • @mikewhatever Thanks, same as I expected, so as my question says how can I switch back to older Kernel version? – Dipak Feb 20 '19 at 07:23
  • 1
    Here you go: https://askubuntu.com/questions/82140/how-can-i-boot-with-an-older-kernel-version. – mikewhatever Feb 20 '19 at 08:27

1 Answers1

1

We have the same issue since the last update of Grub (Feb. 1st). Unsigned Kernels won’t boot if secure boot is enabled. It ends with a message saying invalid signature, you must load the kernel first. Requires a cold shutdown.

You have 2 choices:

  1. You disable secure boot permanently in the BIOS (worst option)
  2. You disable secure boot temporally on startup with MOK manager

MokManager

sudo mokutil  --disable-validation
root password
mok password: 12345678
mok password: 12345678
sudo reboot

The machine will reboot in a blue screen, the MOK manager menu.. Type the number(s) shown, if its 7, it is the 7th character of the password. So, keep 12345678. The question to answer is Yes to disable secure boot. Reboot.

You’ll see on startup after a new message (top left) saying <<Booting in insecure mode>>. The machine will boot normally after and secure boot remains enabled.

This change is permanent, a clean install of Ten won't overwrite it. You must keep it that way.

To re-enable it:

sudo mokutil  --enable-validation
root password
mok password: 12345678
mok password: 12345678
sudo reboot

Tumbleweed offers an option that doesn’t work in Ubuntu: Enroll Key and hash to the boot loader. Our computer is not dual boot and the bug is also present in Mint 19.1.

We made a modification to boot in the Grub menu for 5 seconds, since left shift key does not work here, nor any other combination of keys. This tweak works fine in LVM.

GRUB_DEFAULT=0

GRUB_TIMEOUT_STYLE=false

GRUB_TIMEOUT=

https://www.rodsbooks.com/refind/secureboot.html

http://www.rodsbooks.com/efi-bootloaders/secureboot.html#add_keys

mokutil  --sb-state
SecureBoot enabled

4.19.5-041905: Unsigned and default

sudo apt-get purge linux-headers-4.19.5-041905 linux-headers-4.19.5-041905-generic linux-image-4.19.5-041905-generic linux-modules-4.19.5-041905-generic

4.15.0-29

sudo apt-get purge linux-headers-4.15.0-29 linux-headers-4.15.0-29-generic linux-image-4.15.0-29-generic

4.15.0-39 + 42

sudo apt-get remove --purge $(sudo dpkg -l | grep "^rc" | awk '{print $2}' | tr '\n' ' ')

The first command gave me following message/error:

dpkg: error: need an action option

Type dpkg --help for help about installing and deinstalling packages [*]; Use 'apt' or 'aptitude' for user-friendly package management; Type dpkg -Dhelp for a list of dpkg debug flag values; Type dpkg --force-help for a list of forcing options; Type dpkg-deb --help for help about manipulating *.deb files;

Options marked [*] produce a lot of output - pipe it through 'less' or 'more' !

What is the reading now:

dpkg --list | grep linux-image
  1. rc linux-image-4.15.0-39-generic 4.15.0-39.42 amd64 Signed kernel image generic
  2. rc linux-image-4.15.0-42-generic 4.15.0-42.45 amd64 Signed kernel image generic
  3. ii linux-image-4.15.0-43-generic 4.15.0-43.46 amd64 Signed kernel image generic
  4. ii linux-image-4.15.0-45-generic 4.15.0-45.48 amd64 Signed kernel image generic
  5. ic linux-image-unsigned-4.19.5-041905-generic 4.19.5-041905.201812031110 amd64 Linux kernel image for version 4.19.5 on 64 bit x86 SMP

There is a conflict with 4.19.5,(only the config files are installed). You did not install 4.19 properly. Re-install 4.19.5 and uninstall it after.

Get the 2 generic headers + modules generic + image generic there:

https://kernel.ubuntu.com/~kernel-ppa/mainline/?C=N;O=D

Then make sure there is no deb files in the Downloads folder and run this:

cd //home/**your user name**/Downloads
sudo dpkg -i *.deb

Reboot

Mikemecanic
  • 141
  • 5
  • So these changes wont change the current Kernel version right? – Dipak Feb 20 '19 at 09:05
  • It allows you to boot an higher kernel (unsigned) and keep secure boot enabled. You will boot in the highest Kernel, but I think this not what you are looking for? – Mikemecanic Feb 20 '19 at 17:50
  • Yes exactly, I am looking for a way to go to lower kernel version, so that its default signed and I can update all software without any problems. – Dipak Feb 21 '19 at 06:02
  • There’s a bug with .29 and .39 was not properly removed. If you wish to remove unsigned one, lets do it. – Mikemecanic Feb 21 '19 at 16:18
  • dpkg --list | grep linux-image out put after running each command is added into the answer. – Dipak Feb 22 '19 at 04:56
  • Also there was some issue in running command dpkg -l | grep "^rc" | cut -d " " -f 3 | xargs sudo dpkg –purge I have updated the answer with the output. – Dipak Feb 22 '19 at 05:06
  • Install/uninstall 4.19.5 here and given cmd line works. I think will have to go in Synaptic Package Manager to delete the Kernel. See cmd line for 39 and 42 – Mikemecanic Feb 22 '19 at 16:04
  • I am not able to follow you here, which is line number 39 and 42? – Dipak Feb 25 '19 at 11:54
  • reinstall 4.19.5 and uninstall it after with the given cmd lines – Mikemecanic Feb 26 '19 at 03:17