search

berglh / ubuntu-sb-kernel-signing

Ubuntu Secure Boot Kernel Signing (MOK)
MIT License
120 stars 21 forks source link

unclear how to use #2

Closed codrutpopescu closed 2 years ago

codrutpopescu commented 2 years ago

I've followed your instructions:

cd ubuntu-sb-kernel-signing/ sudo cp sbin/00-signing /etc/kernel/postinst.d sudo chown root:root /etc/kernel/postinst.d/00-signing sudo chmod u+rx /etc/kernel/postinst.d/00-signing sudo reboot

enrolled the key: mokutil --list-enrolled

cd ubuntu-sb-kernel-signing/ cd sbin/ sudo bash mok-setup.sh

and then installed Liquorix:

sudo apt install --force-reinstall true linux-image-liquorix-amd64 linux-headers-liquorix-amd64 sudo update-initramfs -u -k all sudo update-grub sudo reboot

But it doesn't boot with this kernel. What am I missing?

berglh commented 2 years ago

@altitudedashboard The script was never tested with Liqorix.

  1. Does this work for you with other kernels?
  2. If not maybe the key isn't enrolled correctly in your UEFI. When you enrolled the key, did you reboot and did your UEFI ask you to enroll the MOK cert? The prompts in the UEFI can be a little misleading, you need to select the key and enroll it. You will need to provide the challenge passphrase you typed during the running of mok-setup.sh.
  3. Did you set a custom name for the MOK cert or just use the default? If you changed the name, you will need to update the path in the 00-signing script here: https://github.com/berglh/ubuntu-sb-kernel-signing/blob/main/sbin/00-signing#L6-L8. Keep in mind, you should not provide the file extension/suffix, only the file name.
  4. Failing that, can you provide the output from the kernel installation via the terminal, mainly the output below where the MOK Signing starts, there's a bunch of "#" symbols framing the title in the output.
berglh commented 2 years ago

@altitudedashboard OK, I had some time to take a look at this and the output is as follows with the 00-signing script. As you can see, it's signed it just fine (i.e. no errors were shown). I changed to zz-signing as I have NVIDIA DKMS modules, I wanted those to be generated first before the kernel image was signed. 

/etc/kernel/postinst.d/zz-signing:
Signing /boot/vmlinuz-5.17.0-5.1-liquorix-amd64...
Signing Unsigned original image
/etc/kernel/postinst.d/zz-update-grub:
Sourcing file `/etc/default/grub'
Sourcing file `/etc/default/grub.d/init-select.cfg'
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-5.17.0-5.1-liquorix-amd64
Found initrd image: /boot/initrd.img-5.17.0-5.1-liquorix-amd64
Found linux image: /boot/vmlinuz-5.15.6-051506-generic
Found initrd image: /boot/initrd.img-5.15.6-051506-generic
Found linux image: /boot/vmlinuz-5.13.0-41-generic
Found initrd image: /boot/initrd.img-5.13.0-41-generic
Found linux image: /boot/vmlinuz-5.13.0-39-generic
Found initrd image: /boot/initrd.img-5.13.0-39-generic
Adding boot menu entry for UEFI Firmware Settings
done
Setting up linux-headers-liquorix-amd64 (5.17-9ubuntu1~impish) ...
Setting up linux-image-liquorix-amd64 (5.17-9ubuntu1~impish) ...

I then rebooted without touching anything and it booted just fine:

$ sudo mokutil --sb-state
SecureBoot enabled
$ uname -a
Linux zen 5.17.0-5.1-liquorix-amd64 #1 ZEN SMP PREEMPT liquorix 5.17-9ubuntu1~impish (2022-04-27) x86_64 x86_64 x86_64 GNU/Linux

I did notice that if I removed those apt packages you supplied though, it left the kernels in place. You can see below that the actual package for the kernel is "linux-image-${VERSION}-liqourix" and "linux-header-${VERSION}-liqourix". My guess is that your command sudo apt install --force-reinstall true linux-image-liquorix-amd64 linux-headers-liquorix-amd64 doesn't actually reinstall these packages. 

~$ sudo apt list linux*liquorix*amd64 | grep installed

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

linux-headers-5.17.0-5.1-liquorix-amd64/impish,now 5.17-9ubuntu1~impish amd64 [installed,automatic]
linux-headers-liquorix-amd64/impish,now 5.17-9ubuntu1~impish amd64 [installed]
linux-image-5.17.0-5.1-liquorix-amd64/impish,now 5.17-9ubuntu1~impish amd64 [installed,automatic]
linux-image-liquorix-amd64/impish,now 5.17-9ubuntu1~impish amd64 [installed]

To get this to actually reinstall correctly, I first purged and then reinstalled all liqourix packages. I am quite confident this is why you are having issues.

sudo apt purge linux*liquorix*amd64
sudo apt autoremove
sudo apt install linux-image-liquorix-amd64 linux-headers-liquorix-amd64

sudo apt install --force-reinstall true linux*5.17.0-5.1-liquorix*amd64 may work, but I didn't test that. Note, you will need to match the kernel version here, otherwise it will install all liqourix kernels.

Also note, this doesn't work with the 00-mainline-signing script, you will see the following output here:

########
## Secure Boot Mainline Kernel Signature using MOK

/boot/vmlinuz-5.17.0-5.1-liquorix-amd64 is an official signed image or is not a generic kernel image, not auto-signing for safety
/etc/kernel/postinst.d/zz-update-grub:
Sourcing file `/etc/default/grub'
Sourcing file `/etc/default/grub.d/init-select.cfg'
berglh commented 2 years ago

@altitudedashboard I've added in some instructions on manually signing a kernel image here: https://github.com/berglh/ubuntu-sb-kernel-signing#manually-signing-a-kernel, which you could use if you didn't want to reinstall the kernel again. Keep in mind, I've now adjust the scripts to having a zz- prefix instead of the 00- prefix, you can pull the the changes in to the checked out repo folder by git pull origin main, removing the existing /etc/kernel/postinst.d/00-signing file and running the instructions on the main page again.

As I am pretty sure you just never actually reinstalled your Liqourix kernel and this is the likely issue, I'm going to go ahead and close this issue as I've provided more than one solution to resolve this. Just comment on it again if you require further assistance.

codrutpopescu commented 2 years ago

Thanks!