search

berglh / ubuntu-sb-kernel-signing

Ubuntu Secure Boot Kernel Signing (MOK)
MIT License
126 stars 23 forks source link

Added support for newer kernels with different deb file structure #3

Closed themarpe closed 2 years ago

themarpe commented 2 years ago

L41 change allows to install mainline kernels from Ubuntu website instead of https://github.com/bkw777/mainline tool. Up to debate if should be kept or not

Also, I think it would be very beneficial to create one-way documentation on the "most usual flow" which new users could follow. Right now there are many paths and nothing stands out as the thing to do to sign the kernel.

As otherwise this tools is immensely helpful in this task, to not require to know all the intricate details on how to carry out this MOK signing

berglh commented 2 years ago

@themarpe LGTM. I did make a similar same change for the different data compression but didn't push it yet, I am happy to pull in your changes as they are more or less the same. Thanks :)

berglh commented 2 years ago

I might also add, it could be useful to move the signing script name from the 00- prefix to a zz or zy. The reason is that this currently runs before the other post-installation scripts like the NVIDIA kernel DKMS build, and if this script fails, it might prevent those modules from building. Meaning, that even if you disabled secure boot to run an unsigned kernel, then the DKMS modules may not have been built. It might be the case we want to change the errors on the checks to be a bit kinder in this case rather than erroring out the post-install steps altogether depending on the error encountered, although, the other side is that the we want to make sure kernels we want are signed and if there is an error for it to be somewhat obvious.

I'm definitely keen on contributions to the documentation if you feel like making a proposal, I just wanted to get all of the information in one place to remind me what on earth I was writing. At this stage it was just a useful tool I whacked together relatively quickly.

berglh commented 2 years ago

@themarpe I might also say I've commented out the grep -q "mainline" block for now as this should no long be required in sbin/zz-mainline-signing. This probably would have caused your signing to fail anwyay.