Comment 8 for bug 1860531

In above logs zipl.conf is shown to be like this:

root@t35lp36:~# cat /etc/zipl.conf
[defaultboot]
defaultmenu = menu
secure=1

:menu
target = /boot
1 = ubuntu
2 = old
default = 1
prompt = 1
timeout = 10

However, for me, setting secure like that has never worked.

Instead i had to set secure=1 on the ':menu' portion of the zipl.conf file, i.e.

root@t35lp36:~# cat /etc/zipl.conf
[defaultboot]
defaultmenu = menu

:menu
target = /boot
1 = ubuntu
2 = old
default = 1
prompt = 1
timeout = 10
secure=1

Can it be that this is leading to incorrect testing?

Also I wanted to make sure you have the right kernel installed.

Can you please doublecheck output for all of the below commands is the same for you?

$ dpkg-query -W linux-image-5.4.0-12-generic
linux-image-5.4.0-12-generic 5.4.0-12.15

$ sudo md5sum /boot/vmlinuz /boot/vmlinuz-5.4.0-12-generic
6e2c2d81d3fa1d50bd3b30f12085554b /boot/vmlinuz
6e2c2d81d3fa1d50bd3b30f12085554b /boot/vmlinuz-5.4.0-12-generic

$ grep vmlinuz /var/lib/dpkg/info/linux-image-5.4.0-12-generic.md5sums
6e2c2d81d3fa1d50bd3b30f12085554b boot/vmlinuz-5.4.0-12-generic

To double check that signature is present on /boot/vmlinuz you can use the extract-module-sig.pl from the linux source tree scripts directly and then run something like this:

$ sudo perl linux/scripts/extract-module-sig.pl -d /boot/vmlinuz
Read 8163896 bytes from module file
Found magic number at 8163896
Found PKCS#7/CMS encapsulation
Found 528 bytes of signature [3082020c06092a864886f70d010702a0]
0 0 2 0 0 528