Bug 51164

Summary: Consider to sign default grub font when secure boot is enabled.
Product: Sisyphus Reporter: Constantin <constacalm>
Component: grubAssignee: Egor Ignatov <egori>
Status: NEW --- QA Contact: qa-sisyphus
Severity: minor    
Priority: P5 CC: constacalm, nickel, placeholder, rider
Version: unstable   
Hardware: x86_64   
OS: Linux   

Description Constantin 2024-08-15 21:00:55 MSK 
It seems that grub does not have a properly signing boot font, when secure boot is enabled.

Steps to reproduce:

1. Enable Secure Boot in your UEFI environment.
2. Install Sisyphus weekly image ordinary way.
3. Try to reboot system and look what grub writes on terminal when booting. In my cases I see:

error: prohibited by secure boot policy

AFAIK these types of errors may shown when font in /boot/grub/fonts/<somefont>.pf2 is unsigned. 

Consider to generate a GPG keypair and enroll public GPG key from that pair directly into grub EFI image. And sign font with private GPG key. /boot/grub/fonts/<somefont>.pf2.sig will be generated. And error should be gone.

Generally, this error does not affect normal boot process. Maybe user should not look at kernel messages when system is booting in some cases. So I think that it is not an important or serious error.
Comment 1 Николай Костригин 2024-08-30 12:23:28 MSK 
AFAIK the problem should have been solved in grub-2.06-alt18.
egori@, please, correct me if I'm wrong