Secure Boot – Signing Kernel Files in Ubuntu

A display brightness related issue made me try out the new Linux Kernel 5.8 the day it was released. I installed it successfully (my previous post covers that) but upon restart the system wasn’t letting me boot into Ubuntu.
It was failing to boot up with the following error:

error: vmlinuz-5.8.0-050800-generic has invalid signature
error: you need to load the kernel first

HP ENVY x360 came installed with Windows 10 so Ubuntu was available via Grub as a Dual Boot option.

NOTE: At some point(s), Windows asked me to enter the recovery key to let me boot into Windows. Bitlocker asks you to enter this key when it detects unauthorised access/change to the system. The recovery key screen gave me the link where I could get the recovery key but you will need another system/phone to do that.

I restarted and chose the previous version of kernel and logged into Ubuntu, albeit with a dim desktop, the issue I was trying to fix with the new version.

You can obviously disable secure boot and it will let you login with the unsigned kernel but it just doesn’t feel right. So you have 2 options:

  1. Use a generic signed kernel image (which wasn’t avaialable for 5.8 in my case)
  2. Self sign the kernel (which I did)

There are a few scripts available online that make it just a bit easy but I found the Ubuntu Secure Boot page along with an askubuntu stackexchange answer which helped me with the setup.

Before we go any further, just remember that you are giving it a try at your own risk 🙂

 

  1. Create a config file for openssl to create a signing key. Use your details where you see <your_something> text.
# This definition stops the following lines choking if HOME isn't defined.

HOME = .
RANDFILE = $ENV::HOME/.rnd
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = v3
string_mask = utf8only
prompt = no

[ req_distinguished_name ]
countryName = <your_country_code>
stateOrProvinceName = <your_state>
localityName = <your_town>
0.organizationName = <your_org>
commonName = Secure Boot Signing
emailAddress = <your_emaill>

[ v3 ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical,CA:FALSE
extendedKeyUsage = codeSigning,1.3.6.1.4.1.311.10.3.6,1.3.6.1.4.1.2312.16.1.2
nsComment = "OpenSSL Generated Certificate"
  1. Now we are going to create private and public keys for signing the kernel. The key is valid for 100 years.
openssl req -config ./openssl.cnf -new -x509 -newkey rsa:2048 -nodes -days 36500 -outform DER -keyout "MOK.priv" -out "MOK.der"
  1. Enrol / Import key to your shim installation. You will be asked to set a password which you will use on reboot.
sudo mokutil --import MOK.der
  1. Time to convert the DER key to PEM format as the tool used later for signing uses PEM key
openssl x509 -in MOK.der -inform DER -outform PEM -out MOK.pem
  1. Now we restart the system. A blue screen will welcome you to MOK Manager tool. Select Enrol Key and then View the key. You should see the details of the key you just created. Continue the process and enter the password where prompted. Reboot the system when presented with that choice.
  1. Did the enrollment work? Check with:
sudo mokutil --list-enrolled
  1. The step where you do what you intended to do all this while – Sign the kernel.
sudo sbsign --key MOK.priv --cert MOK.pem /boot/vmlinuz-5.8.0-050800-generic --output /boot/vmlinuz-5.8.0-050800-generic.signed
  1. Create a copy of initrd.img file and add signed to the filename.
sudo cp /boot/initrd.img-5.8.0-050800-generic{,.signed}
  1. Update Grub
sudo update-grub
  1. Reboot. If all works and it let’s you boot, you can remove the unsigned kernel files.
sudo mv /boot/vmlinuz-5.8.0-050800-generic{.signed,}
sudo mv /boot/initrd.img-5.8.0-050800-generic{.signed,}
  1. Final Grub update
sudo update-grub

You now have the newest kernel with all the new features, signed and working with Secure Boot still enabled.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s