2

OS: Ubuntu 20.04

Machine: Dell XPS 13 9370

Attempting to upgrade from Linux kernel 5.13.0 to 5.16.14. Have verified that kernel 5.16.14 runs properly without secure boot. Followed instructions here and here and all steps appear to complete successfully. Specifically, here are the steps I took:

Download kernel files

wget https://kernel.ubuntu.com/~kernel-ppa/mainline/v5.16.14/amd64/linux-headers-5.16.14-051614_5.16.14-051614.202203111231_all.deb wget https://kernel.ubuntu.com/~kernel-ppa/mainline/v5.16.14/amd64/linux-image-unsigned-5.16.14-051614-generic_5.16.14-051614.202203111231_amd64.deb wget https://kernel.ubuntu.com/~kernel-ppa/mainline/v5.16.14/amd64/linux-modules-5.16.14-051614-generic_5.16.14-051614.202203111231_amd64.deb

Install kernel

chmod +x *.deb sudo dpkg -i *.deb

Create req file

vim mokconfig.cnf # filled in details as instructed in articles

Generate keys

openssl req -config ./mokconfig.cnf \ -new -x509 -newkey rsa:2048 \ -nodes -days 36500 -outform DER \ -keyout "MOK.priv" \ -out "MOK.der"

Convert to pem format

openssl x509 -in MOK.der -inform DER -outform PEM -out MOK.pem

Enroll key

sudo mokutil --import MOK.der

At this point, I rebooted and the blue MOK screen appeared as expected. The key I had just enrolled was shown and I was able to add, then continue booting.

Verify key is enrolled

sudo mokutil --list-enrolled

Sign kernel

sudo sbsign --key MOK.priv --cert MOK.pem /boot/vmlinuz-5.16.14-051614-generic --output /boot/vmlinuz-5.16.14-051614-generic.signed

Copy initram

sudo cp /boot/initrd.img-5.16.14-051614-generic{,.signed}

Update GRUB

sudo update-grub

I also appended the cert I just made to the secure boot keys in bios. The UI showed me a "Success" message and the key count was incremented by 1.

At this point, I was able to reboot and see the new signed kernels. In addition to the original kernels, the list included the following two lines:

Ubuntu, with Linux 5.16.14-051614-generic.signed Ubuntu, with Linux 5.16.14-051614-generic.signed (recovery mode)

The resulting message is:

Loading Linux 5.16.14-051614-generic.signed ... error: /boot/vmlinuz-5.16.14-051614-generic.signed has invalid signature. Loading initial ramdisk ... error: you need to load the kernel first. Press any key to continue...

The ramdisk issue seems pretty self-explanatory but I can't seem to get the kernel to load.

Is there some other way to verify the key? Does it need to be loaded somewhere else for the system to recognize it?

Improve this question

1 Answer 1

Reset to default
1

Different firmware implementations of Secure Boot have differing levels of strictness on the exact format of the signed boot files. The sbsign command is, I think, the older tool and the signature produced by it may not satisfy the newer, stricter firmware implementations.

Try signing the kernel with the pesign command (in package pesign) instead: I've had good results with it on newer firmwares that reject kernels signed by sbsign. However, it requires converting the key and the certificate into PKCS12 format and storing them into a Mozilla NSS certificate database first. You'll need the pk12util tool from the libnss3-tools package for that:

openssl pkcs12 -export -name MOK -out MOK.p12 -inkey MOK.priv -inform DER -in MOK.der sudo pk12util -i MOK.p12 -d /etc/pki/pesign

You'll need to do the above commands only once. After you've done those, you can use pesign as follows:

sudo pesign -i /boot/vmlinuz-5.16.14-051614-generic -o /boot/vmlinuz-5.16.14-051614-generic.signed -n /etc/pki/pesign -c MOK -s
Improve this answer
1
  • Many thanks. I tried the commands you mentioned but had to handle the first one in PEM format as openssl was complaining about the inform option with pkcs12. I also couldn't get it to accept the /etc/pki/pesign part. I was, however, able to make a DB at ~/.pki/nssdb and this got the commands running but I don't have the expertise to say whether they were correct. I'm afraid the issue may be deeper, though, as I finally went to BIOS and attempted to append the keys as I had done on another machine but it wouldn't accept them in any format. A bit stumped at this. Commented Mar 13, 2022 at 23:42

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.