Upgrade from 16.04 to 18.04 failedProblems with upgrade to 18.04 from 16.04Ubuntu 18.04 failed upgrade from 16.04 LTSThe 'grub-efi-amd64-signed' package failed to install into / target/. Without the GRUB boot loader, the installed system will not bootUpgrade from Ubuntu 16.04 LTS to 18.04 LTS failedUbuntu Upgrade from 16.04 to 18.04 failed
Who is the narrator of Star Wars?
When was Newton "not good enough" for spaceflight; first use and first absolute requirement for relativistic corrections?
Sort Data Sets by Lines/Neighbours
Students using the same flawed online solution sheet as the grading TA
Is rotating a pawn so that it faces a different direction and then moves in that direction technically permitted according to the 2018 FIDE Laws?
Why did George Lucas set Star Wars in the past instead of the future?
Why did Bayer lose aspirin and heroin trademarks under the 1919 Treaty of Versailles?
Is "Are you interviewing other candidates?" a good or terrible response when asked if you are interviewing with other companies?
Why don't all States switch to all postal voting?
C compilers for Linux?
Reference Request: Where can I read about philosophy of the digital arts?
Why is "runway behind you" useless?
Largest smallest gap
Why doesn't knowledge of how magic works break magic in this world?
Reimbursed more than my travel expenses for interview
How do you get to this trap position?
Can a human colony survive on a 'hot' world?
How to translate “就这么着吧”?
I've increased my productivity by 40% by automating my job. Should I ask for a higher salary, or just enjoy having more time to do things I like?
How to answer my 5 year old why I can tell her what she has to do and why she can't tell me
Fourier transform is an isomorphism...but we don’t get when each frequency appears?
"Dog" can mean "something of an inferior quality". What animals do we use, if any, to describe the opposite?
Expectation of 500 coin flips after 500 realizations
Why is JavaScript not compiled to bytecode before sending over the network?
Upgrade from 16.04 to 18.04 failed
Problems with upgrade to 18.04 from 16.04Ubuntu 18.04 failed upgrade from 16.04 LTSThe 'grub-efi-amd64-signed' package failed to install into / target/. Without the GRUB boot loader, the installed system will not bootUpgrade from Ubuntu 16.04 LTS to 18.04 LTS failedUbuntu Upgrade from 16.04 to 18.04 failed
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;
A notification came up:
Cannot upgrade secure boot enforcement policy due to unsigned kernels
Your system has UEFI secure boot enabled firmware, and the following kernels present on your system are unsigned:
4.4.0-134-generic
The kernels cannot be verified under secure boot. To ensure your system remains bootable, GRUB will not be upgraded on your disk until these kernels are removed or replaced with signed kernels.
and the upgrade has stopped. Can someone please tell me what to do?
16.04 18.04 upgrade
edited Jul 31 at 16:55
Kevin Bowen
16.2k15 gold badges63 silver badges74 bronze badges
asked Aug 27 '18 at 14:13
c.m.williamsc.m.williams
951 gold badge2 silver badges5 bronze badges
add a comment
|
A notification came up:
Cannot upgrade secure boot enforcement policy due to unsigned kernels
Your system has UEFI secure boot enabled firmware, and the following kernels present on your system are unsigned:
4.4.0-134-generic
The kernels cannot be verified under secure boot. To ensure your system remains bootable, GRUB will not be upgraded on your disk until these kernels are removed or replaced with signed kernels.
and the upgrade has stopped. Can someone please tell me what to do?
16.04 18.04 upgrade
edited Jul 31 at 16:55
Kevin Bowen
16.2k15 gold badges63 silver badges74 bronze badges
asked Aug 27 '18 at 14:13
c.m.williamsc.m.williams
951 gold badge2 silver badges5 bronze badges
add a comment
|
A notification came up:
Cannot upgrade secure boot enforcement policy due to unsigned kernels
Your system has UEFI secure boot enabled firmware, and the following kernels present on your system are unsigned:
4.4.0-134-generic
The kernels cannot be verified under secure boot. To ensure your system remains bootable, GRUB will not be upgraded on your disk until these kernels are removed or replaced with signed kernels.
and the upgrade has stopped. Can someone please tell me what to do?
16.04 18.04 upgrade
edited Jul 31 at 16:55
Kevin Bowen
16.2k15 gold badges63 silver badges74 bronze badges
asked Aug 27 '18 at 14:13
c.m.williamsc.m.williams
951 gold badge2 silver badges5 bronze badges
A notification came up:
Cannot upgrade secure boot enforcement policy due to unsigned kernels
Your system has UEFI secure boot enabled firmware, and the following kernels present on your system are unsigned:
4.4.0-134-generic
The kernels cannot be verified under secure boot. To ensure your system remains bootable, GRUB will not be upgraded on your disk until these kernels are removed or replaced with signed kernels.
and the upgrade has stopped. Can someone please tell me what to do?
16.04 18.04 upgrade
16.04 18.04 upgrade
edited Jul 31 at 16:55
Kevin Bowen
16.2k15 gold badges63 silver badges74 bronze badges
asked Aug 27 '18 at 14:13
c.m.williamsc.m.williams
951 gold badge2 silver badges5 bronze badges
edited Jul 31 at 16:55
Kevin Bowen
16.2k15 gold badges63 silver badges74 bronze badges
asked Aug 27 '18 at 14:13
c.m.williamsc.m.williams
951 gold badge2 silver badges5 bronze badges
edited Jul 31 at 16:55
Kevin Bowen
16.2k15 gold badges63 silver badges74 bronze badges
edited Jul 31 at 16:55
Kevin Bowen
16.2k15 gold badges63 silver badges74 bronze badges
edited Jul 31 at 16:55
Kevin Bowen
16.2k15 gold badges63 silver badges74 bronze badges
16.2k15 gold badges63 silver badges74 bronze badges
asked Aug 27 '18 at 14:13
c.m.williamsc.m.williams
951 gold badge2 silver badges5 bronze badges
asked Aug 27 '18 at 14:13
c.m.williamsc.m.williams
951 gold badge2 silver badges5 bronze badges
asked Aug 27 '18 at 14:13
c.m.williamsc.m.williams
951 gold badge2 silver badges5 bronze badges
951 gold badge2 silver badges5 bronze badges
add a comment
|
add a comment
|
3 Answers
3
active
oldest
votes
You could turn off secure boot in your BIOS/UEFI Settings and let the unsigned packages upgrade, or install the linux-signed-generic, shim-signed, grub-efi-amd64-signed, and fwupdate-signed on your 16.04 system and upgrade with secure boot.
The upgrade should work if you turn off secure boot and try again.
To install the packages, start a terminal (Ctrl + Alt + t ) and type:
sudo apt-get install linux-signed-generic shim-signed grub-efi-amd64-signed fwupdate-signed
answered Aug 27 '18 at 15:02
ubfan1ubfan1
11.1k4 gold badges20 silver badges31 bronze badges
Thank you very much. Can you please tell me how to install the linux-signed-generic, shim-signed, grub-efi-amd64-signed, and fwupdate-signed, or direct me to a page which will give me the information. Thanks again for answering.
– c.m.williams
Aug 27 '18 at 17:47
ps.. if I reboot my system now and change the bios setting will the upgrade still work ?
– c.m.williams
Aug 27 '18 at 17:48
Hey, thank you, "ubfan1" I followed your advice and changed the bios setting and the upgrade went through, everything is working just fine. Thanks again for your advice, much appreciated.
– c.m.williams
Aug 27 '18 at 19:57
You can click on the accept answer icon and that marks this as solved.
– ubfan1
Aug 27 '18 at 20:01
You answer helps, Thanks. After disabling secure boot and restart and then install the packages you presented, the upgrade finishes. Now can I enable security boot again or I should keep it disabled in order to use ubuntu 18
– Liu Sha
Sep 13 '18 at 15:17
|
show 4 more comments
Running uname -r should state 18.04 after a reboot. If reboot fails, go into recovery mode and repair install (dpkg) then boot normally.
After booting, install linux-generic which should install the latest (4.15) kernel
Reboot and at the grub menu, select advanced and boot into the 4.15 kernel.
Then run sudo apt-get install linux-signed-generic shim-signed grub-efi-amd64-signed fwupdate-signed - which should now install without errors
Then sudo apt update && sudo apt upgrade and you should be good to go.
answered Oct 29 '18 at 4:53
Nah.uhhNah.uhh
111 bronze badge
add a comment
|
I also encountered this problem, and I solved it recently by signing the kernel.
Warning: replacing the unsigned kernel is dangers; any tiny mistakes may cause kernel panic. Please be aware of what you are doing.
Acknowledgment
Thanks to following two posts I leaned how to sign a kernel to solve this problem, you can refer to them for more details.
https://sqizit.bartletts.id.au/2019/04/23/fixing-grub-error-about-unsigned-kernel-in-ubuntu/
https://ubuntu.com/blog/how-to-sign-things-for-secure-boot
My notes for solving this problem are listed below.
Fixing grub error about unsigned kernel in Ubuntu
ERROR INFO:
Cannot upgrade Secure Boot enforcement policy due to unsigned kernels
Your system has UEFI Secure Boot enabled in firmware, and the following kernels present on your system are unsigned:
4.18.20-041820-generic
These kernels cannot be verified under Secure Boot. To ensure your system remains bootable, GRUB will not be upgraded on your disk until these kernels are removed or replaced with signed kernels.
Certificates in shim
- cd to a directory you want to save the Certificates
vim openssl.cnfto create a new file- input following contents in the file (modify the req_distinguished_name info if you like, it is ok to left it as it is).
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = v3
string_mask = utf8only
prompt = no
[ req_distinguished_name ]
countryName = CA
stateOrProvinceName = Quebec
localityName = Montreal
0.organizationName = cyphermox
commonName = Secure Boot Signing
emailAddress = example@example.com
[ v3 ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical,CA:FALSE
extendedKeyUsage = codeSigning,1.3.6.1.4.1.311.10.3.6
nsComment = "OpenSSL Generated Certificate"
- creat the private and public keys
openssl req -config ./openssl.cnf
-new -x509 -newkey rsa:2048
-nodes -days 36500 -outform DER
-keyout "MOK.priv"
-out "MOK.der"
Enrolling the key
To enroll a key, use the mokutil command:
sudo mokutil --import MOK.der
Follow the prompts to enter a password that will be used to make sure you really do want to enroll the key in a minute.
Once this is done, reboot. Just before loading GRUB, shim will show a blue screen (which is actually another piece of the shim project called “MokManager”). use that screen to select “Enroll MOK” and follow the menus to finish the enrolling process. You can also look at some of the properties of the key you’re trying to add, just to make sure it’s indeed the right one using “View key”. MokManager will ask you for the password we typed in earlier when running mokutil; and will save the key, and we’ll reboot again.
sign a custom kernel you want to have loaded by shim
- convert the certificate we created earlier into PEM:
openssl x509 -in MOK.der -inform DER -outform PEM -out MOK.pem
back up the original vmlinuz file (e.g., vmlinuz-4.18.5-041805-generic)
sudo cp /boot/vmlinuz-4.18.5-041805-generic ./
- sign the kernel with following command (modify the kernel name accordingly)
sudo sbsign --key MOK.priv --cert MOK.pem /boot/vmlinuz-4.18.5-041805-generic --output vmlinuz-4.18.5-041805-generic.signed
- move the signed kernel to the
/boot/directory (and make sure the signed kernel has the same name as the original one)
sudo mv vmlinuz-4.18.5-041805-generic.signed /boot/vmlinuz-4.18.5-041805-generic
- rebuild grub menus with following command
sudo dpkg-reconfigure grub-pc
This command causes grub to rebuild its menus. Make sure for each grub menu item (especially the signed one), there is a linux ... line and a initrd .... line. Otherwise you may encounter "kernel panic" next time you reboot the system.
Rebuilding grub menu is probably not strictly necessary because I didn’t actually add any new kernels to /boot/, but it was worth running to make sure there weren’t any errors.
- This fixes the installation of the package that was broken. If all goes according to plan, it should no longer show an error.
sudo dpkg --configure grub-efi-amd64-signed
answered Sep 30 at 6:28
liushan CHENliushan CHEN
1011 bronze badge
add a comment
|
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "89"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1069433%2fupgrade-from-16-04-to-18-04-failed%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
You could turn off secure boot in your BIOS/UEFI Settings and let the unsigned packages upgrade, or install the linux-signed-generic, shim-signed, grub-efi-amd64-signed, and fwupdate-signed on your 16.04 system and upgrade with secure boot.
The upgrade should work if you turn off secure boot and try again.
To install the packages, start a terminal (Ctrl + Alt + t ) and type:
sudo apt-get install linux-signed-generic shim-signed grub-efi-amd64-signed fwupdate-signed
answered Aug 27 '18 at 15:02
ubfan1ubfan1
11.1k4 gold badges20 silver badges31 bronze badges
Thank you very much. Can you please tell me how to install the linux-signed-generic, shim-signed, grub-efi-amd64-signed, and fwupdate-signed, or direct me to a page which will give me the information. Thanks again for answering.
– c.m.williams
Aug 27 '18 at 17:47
ps.. if I reboot my system now and change the bios setting will the upgrade still work ?
– c.m.williams
Aug 27 '18 at 17:48
Hey, thank you, "ubfan1" I followed your advice and changed the bios setting and the upgrade went through, everything is working just fine. Thanks again for your advice, much appreciated.
– c.m.williams
Aug 27 '18 at 19:57
You can click on the accept answer icon and that marks this as solved.
– ubfan1
Aug 27 '18 at 20:01
You answer helps, Thanks. After disabling secure boot and restart and then install the packages you presented, the upgrade finishes. Now can I enable security boot again or I should keep it disabled in order to use ubuntu 18
– Liu Sha
Sep 13 '18 at 15:17
|
show 4 more comments
You could turn off secure boot in your BIOS/UEFI Settings and let the unsigned packages upgrade, or install the linux-signed-generic, shim-signed, grub-efi-amd64-signed, and fwupdate-signed on your 16.04 system and upgrade with secure boot.
The upgrade should work if you turn off secure boot and try again.
To install the packages, start a terminal (Ctrl + Alt + t ) and type:
sudo apt-get install linux-signed-generic shim-signed grub-efi-amd64-signed fwupdate-signed
answered Aug 27 '18 at 15:02
ubfan1ubfan1
11.1k4 gold badges20 silver badges31 bronze badges
Thank you very much. Can you please tell me how to install the linux-signed-generic, shim-signed, grub-efi-amd64-signed, and fwupdate-signed, or direct me to a page which will give me the information. Thanks again for answering.
– c.m.williams
Aug 27 '18 at 17:47
ps.. if I reboot my system now and change the bios setting will the upgrade still work ?
– c.m.williams
Aug 27 '18 at 17:48
Hey, thank you, "ubfan1" I followed your advice and changed the bios setting and the upgrade went through, everything is working just fine. Thanks again for your advice, much appreciated.
– c.m.williams
Aug 27 '18 at 19:57
You can click on the accept answer icon and that marks this as solved.
– ubfan1
Aug 27 '18 at 20:01
You answer helps, Thanks. After disabling secure boot and restart and then install the packages you presented, the upgrade finishes. Now can I enable security boot again or I should keep it disabled in order to use ubuntu 18
– Liu Sha
Sep 13 '18 at 15:17
|
show 4 more comments
You could turn off secure boot in your BIOS/UEFI Settings and let the unsigned packages upgrade, or install the linux-signed-generic, shim-signed, grub-efi-amd64-signed, and fwupdate-signed on your 16.04 system and upgrade with secure boot.
The upgrade should work if you turn off secure boot and try again.
To install the packages, start a terminal (Ctrl + Alt + t ) and type:
sudo apt-get install linux-signed-generic shim-signed grub-efi-amd64-signed fwupdate-signed
answered Aug 27 '18 at 15:02
ubfan1ubfan1
11.1k4 gold badges20 silver badges31 bronze badges
You could turn off secure boot in your BIOS/UEFI Settings and let the unsigned packages upgrade, or install the linux-signed-generic, shim-signed, grub-efi-amd64-signed, and fwupdate-signed on your 16.04 system and upgrade with secure boot.
The upgrade should work if you turn off secure boot and try again.
To install the packages, start a terminal (Ctrl + Alt + t ) and type:
sudo apt-get install linux-signed-generic shim-signed grub-efi-amd64-signed fwupdate-signed
answered Aug 27 '18 at 15:02
ubfan1ubfan1
11.1k4 gold badges20 silver badges31 bronze badges
edited Aug 27 '18 at 18:28
answered Aug 27 '18 at 15:02
ubfan1ubfan1
11.1k4 gold badges20 silver badges31 bronze badges
answered Aug 27 '18 at 15:02
ubfan1ubfan1
11.1k4 gold badges20 silver badges31 bronze badges
answered Aug 27 '18 at 15:02
ubfan1ubfan1
11.1k4 gold badges20 silver badges31 bronze badges
11.1k4 gold badges20 silver badges31 bronze badges
Thank you very much. Can you please tell me how to install the linux-signed-generic, shim-signed, grub-efi-amd64-signed, and fwupdate-signed, or direct me to a page which will give me the information. Thanks again for answering.
– c.m.williams
Aug 27 '18 at 17:47
ps.. if I reboot my system now and change the bios setting will the upgrade still work ?
– c.m.williams
Aug 27 '18 at 17:48
Hey, thank you, "ubfan1" I followed your advice and changed the bios setting and the upgrade went through, everything is working just fine. Thanks again for your advice, much appreciated.
– c.m.williams
Aug 27 '18 at 19:57
You can click on the accept answer icon and that marks this as solved.
– ubfan1
Aug 27 '18 at 20:01
You answer helps, Thanks. After disabling secure boot and restart and then install the packages you presented, the upgrade finishes. Now can I enable security boot again or I should keep it disabled in order to use ubuntu 18
– Liu Sha
Sep 13 '18 at 15:17
|
show 4 more comments
Thank you very much. Can you please tell me how to install the linux-signed-generic, shim-signed, grub-efi-amd64-signed, and fwupdate-signed, or direct me to a page which will give me the information. Thanks again for answering.
– c.m.williams
Aug 27 '18 at 17:47
ps.. if I reboot my system now and change the bios setting will the upgrade still work ?
– c.m.williams
Aug 27 '18 at 17:48
Hey, thank you, "ubfan1" I followed your advice and changed the bios setting and the upgrade went through, everything is working just fine. Thanks again for your advice, much appreciated.
– c.m.williams
Aug 27 '18 at 19:57
You can click on the accept answer icon and that marks this as solved.
– ubfan1
Aug 27 '18 at 20:01
You answer helps, Thanks. After disabling secure boot and restart and then install the packages you presented, the upgrade finishes. Now can I enable security boot again or I should keep it disabled in order to use ubuntu 18
– Liu Sha
Sep 13 '18 at 15:17
Thank you very much. Can you please tell me how to install the linux-signed-generic, shim-signed, grub-efi-amd64-signed, and fwupdate-signed, or direct me to a page which will give me the information. Thanks again for answering.
– c.m.williams
Aug 27 '18 at 17:47
Thank you very much. Can you please tell me how to install the linux-signed-generic, shim-signed, grub-efi-amd64-signed, and fwupdate-signed, or direct me to a page which will give me the information. Thanks again for answering.
– c.m.williams
Aug 27 '18 at 17:47
ps.. if I reboot my system now and change the bios setting will the upgrade still work ?
– c.m.williams
Aug 27 '18 at 17:48
ps.. if I reboot my system now and change the bios setting will the upgrade still work ?
– c.m.williams
Aug 27 '18 at 17:48
Hey, thank you, "ubfan1" I followed your advice and changed the bios setting and the upgrade went through, everything is working just fine. Thanks again for your advice, much appreciated.
– c.m.williams
Aug 27 '18 at 19:57
Hey, thank you, "ubfan1" I followed your advice and changed the bios setting and the upgrade went through, everything is working just fine. Thanks again for your advice, much appreciated.
– c.m.williams
Aug 27 '18 at 19:57
You can click on the accept answer icon and that marks this as solved.
– ubfan1
Aug 27 '18 at 20:01
You can click on the accept answer icon and that marks this as solved.
– ubfan1
Aug 27 '18 at 20:01
You answer helps, Thanks. After disabling secure boot and restart and then install the packages you presented, the upgrade finishes. Now can I enable security boot again or I should keep it disabled in order to use ubuntu 18
– Liu Sha
Sep 13 '18 at 15:17
You answer helps, Thanks. After disabling secure boot and restart and then install the packages you presented, the upgrade finishes. Now can I enable security boot again or I should keep it disabled in order to use ubuntu 18
– Liu Sha
Sep 13 '18 at 15:17
|
show 4 more comments
Running uname -r should state 18.04 after a reboot. If reboot fails, go into recovery mode and repair install (dpkg) then boot normally.
After booting, install linux-generic which should install the latest (4.15) kernel
Reboot and at the grub menu, select advanced and boot into the 4.15 kernel.
Then run sudo apt-get install linux-signed-generic shim-signed grub-efi-amd64-signed fwupdate-signed - which should now install without errors
Then sudo apt update && sudo apt upgrade and you should be good to go.
answered Oct 29 '18 at 4:53
Nah.uhhNah.uhh
111 bronze badge
add a comment
|
Running uname -r should state 18.04 after a reboot. If reboot fails, go into recovery mode and repair install (dpkg) then boot normally.
After booting, install linux-generic which should install the latest (4.15) kernel
Reboot and at the grub menu, select advanced and boot into the 4.15 kernel.
Then run sudo apt-get install linux-signed-generic shim-signed grub-efi-amd64-signed fwupdate-signed - which should now install without errors
Then sudo apt update && sudo apt upgrade and you should be good to go.
answered Oct 29 '18 at 4:53
Nah.uhhNah.uhh
111 bronze badge
add a comment
|
Running uname -r should state 18.04 after a reboot. If reboot fails, go into recovery mode and repair install (dpkg) then boot normally.
After booting, install linux-generic which should install the latest (4.15) kernel
Reboot and at the grub menu, select advanced and boot into the 4.15 kernel.
Then run sudo apt-get install linux-signed-generic shim-signed grub-efi-amd64-signed fwupdate-signed - which should now install without errors
Then sudo apt update && sudo apt upgrade and you should be good to go.
answered Oct 29 '18 at 4:53
Nah.uhhNah.uhh
111 bronze badge
Running uname -r should state 18.04 after a reboot. If reboot fails, go into recovery mode and repair install (dpkg) then boot normally.
After booting, install linux-generic which should install the latest (4.15) kernel
Reboot and at the grub menu, select advanced and boot into the 4.15 kernel.
Then run sudo apt-get install linux-signed-generic shim-signed grub-efi-amd64-signed fwupdate-signed - which should now install without errors
Then sudo apt update && sudo apt upgrade and you should be good to go.
answered Oct 29 '18 at 4:53
Nah.uhhNah.uhh
111 bronze badge
answered Oct 29 '18 at 4:53
Nah.uhhNah.uhh
111 bronze badge
answered Oct 29 '18 at 4:53
Nah.uhhNah.uhh
111 bronze badge
answered Oct 29 '18 at 4:53
Nah.uhhNah.uhh
111 bronze badge
111 bronze badge
add a comment
|
add a comment
|
I also encountered this problem, and I solved it recently by signing the kernel.
Warning: replacing the unsigned kernel is dangers; any tiny mistakes may cause kernel panic. Please be aware of what you are doing.
Acknowledgment
Thanks to following two posts I leaned how to sign a kernel to solve this problem, you can refer to them for more details.
https://sqizit.bartletts.id.au/2019/04/23/fixing-grub-error-about-unsigned-kernel-in-ubuntu/
https://ubuntu.com/blog/how-to-sign-things-for-secure-boot
My notes for solving this problem are listed below.
Fixing grub error about unsigned kernel in Ubuntu
ERROR INFO:
Cannot upgrade Secure Boot enforcement policy due to unsigned kernels
Your system has UEFI Secure Boot enabled in firmware, and the following kernels present on your system are unsigned:
4.18.20-041820-generic
These kernels cannot be verified under Secure Boot. To ensure your system remains bootable, GRUB will not be upgraded on your disk until these kernels are removed or replaced with signed kernels.
Certificates in shim
- cd to a directory you want to save the Certificates
vim openssl.cnfto create a new file- input following contents in the file (modify the req_distinguished_name info if you like, it is ok to left it as it is).
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = v3
string_mask = utf8only
prompt = no
[ req_distinguished_name ]
countryName = CA
stateOrProvinceName = Quebec
localityName = Montreal
0.organizationName = cyphermox
commonName = Secure Boot Signing
emailAddress = example@example.com
[ v3 ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical,CA:FALSE
extendedKeyUsage = codeSigning,1.3.6.1.4.1.311.10.3.6
nsComment = "OpenSSL Generated Certificate"
- creat the private and public keys
openssl req -config ./openssl.cnf
-new -x509 -newkey rsa:2048
-nodes -days 36500 -outform DER
-keyout "MOK.priv"
-out "MOK.der"
Enrolling the key
To enroll a key, use the mokutil command:
sudo mokutil --import MOK.der
Follow the prompts to enter a password that will be used to make sure you really do want to enroll the key in a minute.
Once this is done, reboot. Just before loading GRUB, shim will show a blue screen (which is actually another piece of the shim project called “MokManager”). use that screen to select “Enroll MOK” and follow the menus to finish the enrolling process. You can also look at some of the properties of the key you’re trying to add, just to make sure it’s indeed the right one using “View key”. MokManager will ask you for the password we typed in earlier when running mokutil; and will save the key, and we’ll reboot again.
sign a custom kernel you want to have loaded by shim
- convert the certificate we created earlier into PEM:
openssl x509 -in MOK.der -inform DER -outform PEM -out MOK.pem
back up the original vmlinuz file (e.g., vmlinuz-4.18.5-041805-generic)
sudo cp /boot/vmlinuz-4.18.5-041805-generic ./
- sign the kernel with following command (modify the kernel name accordingly)
sudo sbsign --key MOK.priv --cert MOK.pem /boot/vmlinuz-4.18.5-041805-generic --output vmlinuz-4.18.5-041805-generic.signed
- move the signed kernel to the
/boot/directory (and make sure the signed kernel has the same name as the original one)
sudo mv vmlinuz-4.18.5-041805-generic.signed /boot/vmlinuz-4.18.5-041805-generic
- rebuild grub menus with following command
sudo dpkg-reconfigure grub-pc
This command causes grub to rebuild its menus. Make sure for each grub menu item (especially the signed one), there is a linux ... line and a initrd .... line. Otherwise you may encounter "kernel panic" next time you reboot the system.
Rebuilding grub menu is probably not strictly necessary because I didn’t actually add any new kernels to /boot/, but it was worth running to make sure there weren’t any errors.
- This fixes the installation of the package that was broken. If all goes according to plan, it should no longer show an error.
sudo dpkg --configure grub-efi-amd64-signed
answered Sep 30 at 6:28
liushan CHENliushan CHEN
1011 bronze badge
add a comment
|
I also encountered this problem, and I solved it recently by signing the kernel.
Warning: replacing the unsigned kernel is dangers; any tiny mistakes may cause kernel panic. Please be aware of what you are doing.
Acknowledgment
Thanks to following two posts I leaned how to sign a kernel to solve this problem, you can refer to them for more details.
https://sqizit.bartletts.id.au/2019/04/23/fixing-grub-error-about-unsigned-kernel-in-ubuntu/
https://ubuntu.com/blog/how-to-sign-things-for-secure-boot
My notes for solving this problem are listed below.
Fixing grub error about unsigned kernel in Ubuntu
ERROR INFO:
Cannot upgrade Secure Boot enforcement policy due to unsigned kernels
Your system has UEFI Secure Boot enabled in firmware, and the following kernels present on your system are unsigned:
4.18.20-041820-generic
These kernels cannot be verified under Secure Boot. To ensure your system remains bootable, GRUB will not be upgraded on your disk until these kernels are removed or replaced with signed kernels.
Certificates in shim
- cd to a directory you want to save the Certificates
vim openssl.cnfto create a new file- input following contents in the file (modify the req_distinguished_name info if you like, it is ok to left it as it is).
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = v3
string_mask = utf8only
prompt = no
[ req_distinguished_name ]
countryName = CA
stateOrProvinceName = Quebec
localityName = Montreal
0.organizationName = cyphermox
commonName = Secure Boot Signing
emailAddress = example@example.com
[ v3 ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical,CA:FALSE
extendedKeyUsage = codeSigning,1.3.6.1.4.1.311.10.3.6
nsComment = "OpenSSL Generated Certificate"
- creat the private and public keys
openssl req -config ./openssl.cnf
-new -x509 -newkey rsa:2048
-nodes -days 36500 -outform DER
-keyout "MOK.priv"
-out "MOK.der"
Enrolling the key
To enroll a key, use the mokutil command:
sudo mokutil --import MOK.der
Follow the prompts to enter a password that will be used to make sure you really do want to enroll the key in a minute.
Once this is done, reboot. Just before loading GRUB, shim will show a blue screen (which is actually another piece of the shim project called “MokManager”). use that screen to select “Enroll MOK” and follow the menus to finish the enrolling process. You can also look at some of the properties of the key you’re trying to add, just to make sure it’s indeed the right one using “View key”. MokManager will ask you for the password we typed in earlier when running mokutil; and will save the key, and we’ll reboot again.
sign a custom kernel you want to have loaded by shim
- convert the certificate we created earlier into PEM:
openssl x509 -in MOK.der -inform DER -outform PEM -out MOK.pem
back up the original vmlinuz file (e.g., vmlinuz-4.18.5-041805-generic)
sudo cp /boot/vmlinuz-4.18.5-041805-generic ./
- sign the kernel with following command (modify the kernel name accordingly)
sudo sbsign --key MOK.priv --cert MOK.pem /boot/vmlinuz-4.18.5-041805-generic --output vmlinuz-4.18.5-041805-generic.signed
- move the signed kernel to the
/boot/directory (and make sure the signed kernel has the same name as the original one)
sudo mv vmlinuz-4.18.5-041805-generic.signed /boot/vmlinuz-4.18.5-041805-generic
- rebuild grub menus with following command
sudo dpkg-reconfigure grub-pc
This command causes grub to rebuild its menus. Make sure for each grub menu item (especially the signed one), there is a linux ... line and a initrd .... line. Otherwise you may encounter "kernel panic" next time you reboot the system.
Rebuilding grub menu is probably not strictly necessary because I didn’t actually add any new kernels to /boot/, but it was worth running to make sure there weren’t any errors.
- This fixes the installation of the package that was broken. If all goes according to plan, it should no longer show an error.
sudo dpkg --configure grub-efi-amd64-signed
answered Sep 30 at 6:28
liushan CHENliushan CHEN
1011 bronze badge
add a comment
|
I also encountered this problem, and I solved it recently by signing the kernel.
Warning: replacing the unsigned kernel is dangers; any tiny mistakes may cause kernel panic. Please be aware of what you are doing.
Acknowledgment
Thanks to following two posts I leaned how to sign a kernel to solve this problem, you can refer to them for more details.
https://sqizit.bartletts.id.au/2019/04/23/fixing-grub-error-about-unsigned-kernel-in-ubuntu/
https://ubuntu.com/blog/how-to-sign-things-for-secure-boot
My notes for solving this problem are listed below.
Fixing grub error about unsigned kernel in Ubuntu
ERROR INFO:
Cannot upgrade Secure Boot enforcement policy due to unsigned kernels
Your system has UEFI Secure Boot enabled in firmware, and the following kernels present on your system are unsigned:
4.18.20-041820-generic
These kernels cannot be verified under Secure Boot. To ensure your system remains bootable, GRUB will not be upgraded on your disk until these kernels are removed or replaced with signed kernels.
Certificates in shim
- cd to a directory you want to save the Certificates
vim openssl.cnfto create a new file- input following contents in the file (modify the req_distinguished_name info if you like, it is ok to left it as it is).
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = v3
string_mask = utf8only
prompt = no
[ req_distinguished_name ]
countryName = CA
stateOrProvinceName = Quebec
localityName = Montreal
0.organizationName = cyphermox
commonName = Secure Boot Signing
emailAddress = example@example.com
[ v3 ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical,CA:FALSE
extendedKeyUsage = codeSigning,1.3.6.1.4.1.311.10.3.6
nsComment = "OpenSSL Generated Certificate"
- creat the private and public keys
openssl req -config ./openssl.cnf
-new -x509 -newkey rsa:2048
-nodes -days 36500 -outform DER
-keyout "MOK.priv"
-out "MOK.der"
Enrolling the key
To enroll a key, use the mokutil command:
sudo mokutil --import MOK.der
Follow the prompts to enter a password that will be used to make sure you really do want to enroll the key in a minute.
Once this is done, reboot. Just before loading GRUB, shim will show a blue screen (which is actually another piece of the shim project called “MokManager”). use that screen to select “Enroll MOK” and follow the menus to finish the enrolling process. You can also look at some of the properties of the key you’re trying to add, just to make sure it’s indeed the right one using “View key”. MokManager will ask you for the password we typed in earlier when running mokutil; and will save the key, and we’ll reboot again.
sign a custom kernel you want to have loaded by shim
- convert the certificate we created earlier into PEM:
openssl x509 -in MOK.der -inform DER -outform PEM -out MOK.pem
back up the original vmlinuz file (e.g., vmlinuz-4.18.5-041805-generic)
sudo cp /boot/vmlinuz-4.18.5-041805-generic ./
- sign the kernel with following command (modify the kernel name accordingly)
sudo sbsign --key MOK.priv --cert MOK.pem /boot/vmlinuz-4.18.5-041805-generic --output vmlinuz-4.18.5-041805-generic.signed
- move the signed kernel to the
/boot/directory (and make sure the signed kernel has the same name as the original one)
sudo mv vmlinuz-4.18.5-041805-generic.signed /boot/vmlinuz-4.18.5-041805-generic
- rebuild grub menus with following command
sudo dpkg-reconfigure grub-pc
This command causes grub to rebuild its menus. Make sure for each grub menu item (especially the signed one), there is a linux ... line and a initrd .... line. Otherwise you may encounter "kernel panic" next time you reboot the system.
Rebuilding grub menu is probably not strictly necessary because I didn’t actually add any new kernels to /boot/, but it was worth running to make sure there weren’t any errors.
- This fixes the installation of the package that was broken. If all goes according to plan, it should no longer show an error.
sudo dpkg --configure grub-efi-amd64-signed
answered Sep 30 at 6:28
liushan CHENliushan CHEN
1011 bronze badge
I also encountered this problem, and I solved it recently by signing the kernel.
Warning: replacing the unsigned kernel is dangers; any tiny mistakes may cause kernel panic. Please be aware of what you are doing.
Acknowledgment
Thanks to following two posts I leaned how to sign a kernel to solve this problem, you can refer to them for more details.
https://sqizit.bartletts.id.au/2019/04/23/fixing-grub-error-about-unsigned-kernel-in-ubuntu/
https://ubuntu.com/blog/how-to-sign-things-for-secure-boot
My notes for solving this problem are listed below.
Fixing grub error about unsigned kernel in Ubuntu
ERROR INFO:
Cannot upgrade Secure Boot enforcement policy due to unsigned kernels
Your system has UEFI Secure Boot enabled in firmware, and the following kernels present on your system are unsigned:
4.18.20-041820-generic
These kernels cannot be verified under Secure Boot. To ensure your system remains bootable, GRUB will not be upgraded on your disk until these kernels are removed or replaced with signed kernels.
Certificates in shim
- cd to a directory you want to save the Certificates
vim openssl.cnfto create a new file- input following contents in the file (modify the req_distinguished_name info if you like, it is ok to left it as it is).
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = v3
string_mask = utf8only
prompt = no
[ req_distinguished_name ]
countryName = CA
stateOrProvinceName = Quebec
localityName = Montreal
0.organizationName = cyphermox
commonName = Secure Boot Signing
emailAddress = example@example.com
[ v3 ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical,CA:FALSE
extendedKeyUsage = codeSigning,1.3.6.1.4.1.311.10.3.6
nsComment = "OpenSSL Generated Certificate"
- creat the private and public keys
openssl req -config ./openssl.cnf
-new -x509 -newkey rsa:2048
-nodes -days 36500 -outform DER
-keyout "MOK.priv"
-out "MOK.der"
Enrolling the key
To enroll a key, use the mokutil command:
sudo mokutil --import MOK.der
Follow the prompts to enter a password that will be used to make sure you really do want to enroll the key in a minute.
Once this is done, reboot. Just before loading GRUB, shim will show a blue screen (which is actually another piece of the shim project called “MokManager”). use that screen to select “Enroll MOK” and follow the menus to finish the enrolling process. You can also look at some of the properties of the key you’re trying to add, just to make sure it’s indeed the right one using “View key”. MokManager will ask you for the password we typed in earlier when running mokutil; and will save the key, and we’ll reboot again.
sign a custom kernel you want to have loaded by shim
- convert the certificate we created earlier into PEM:
openssl x509 -in MOK.der -inform DER -outform PEM -out MOK.pem
back up the original vmlinuz file (e.g., vmlinuz-4.18.5-041805-generic)
sudo cp /boot/vmlinuz-4.18.5-041805-generic ./
- sign the kernel with following command (modify the kernel name accordingly)
sudo sbsign --key MOK.priv --cert MOK.pem /boot/vmlinuz-4.18.5-041805-generic --output vmlinuz-4.18.5-041805-generic.signed
- move the signed kernel to the
/boot/directory (and make sure the signed kernel has the same name as the original one)
sudo mv vmlinuz-4.18.5-041805-generic.signed /boot/vmlinuz-4.18.5-041805-generic
- rebuild grub menus with following command
sudo dpkg-reconfigure grub-pc
This command causes grub to rebuild its menus. Make sure for each grub menu item (especially the signed one), there is a linux ... line and a initrd .... line. Otherwise you may encounter "kernel panic" next time you reboot the system.
Rebuilding grub menu is probably not strictly necessary because I didn’t actually add any new kernels to /boot/, but it was worth running to make sure there weren’t any errors.
- This fixes the installation of the package that was broken. If all goes according to plan, it should no longer show an error.
sudo dpkg --configure grub-efi-amd64-signed
answered Sep 30 at 6:28
liushan CHENliushan CHEN
1011 bronze badge
answered Sep 30 at 6:28
liushan CHENliushan CHEN
1011 bronze badge
answered Sep 30 at 6:28
liushan CHENliushan CHEN
1011 bronze badge
answered Sep 30 at 6:28
liushan CHENliushan CHEN
1011 bronze badge
1011 bronze badge
add a comment
|
add a comment
|
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1069433%2fupgrade-from-16-04-to-18-04-failed%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
