Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secure Boot #52

Closed
maxried opened this issue Aug 5, 2020 · 4 comments
Closed

Secure Boot #52

maxried opened this issue Aug 5, 2020 · 4 comments
Labels
invalid This doesn't seem right

Comments

@maxried
Copy link

maxried commented Aug 5, 2020
edited

While this is not really an issue, you might want to mention that mainline kernels are unsigned, and break your system if you use Secure Boot. To prevent this from happening, I wrote a small shell script as a kernel-install hook. Should not hurt, though YMMV. https://gist.github.com/maxried/796d1f3101b3a03ca153fa09d3af8a11
@bkw777
Copy link
Owner

bkw777 commented Aug 16, 2020

Probably not a bad idea.

I have also recently discovered that docker doesn't work on the mainline kernels.

In fact there are all kinds of things that can break under a mainline kernel, like dkms modules failing to build like for virtualbox or displaylink usb monitors, binary modules for video/wifi/etc failing to load or work, etc.

None of these problems are caused by the app, they are problems with the kernel packages, which someone else produces. The place for that kind of info is really on the mainline kernel ppa wiki, and/or kernel.ubuntu.com web site, and/or right in the description in the metadata in the .deb files so it shows up in any package manager.

This is also one of the very reasons I removed all the grub stuff and we don't touch the bootloader files. We install the package, but let the package author, or dpkg, or something else be responsible for breaking someones system from booting.

But, it's probably not a completely unreasonable idea to include maybe a notes/warnings section in the main readme, at least for a short list of major things.

@bkw777 bkw777 added the invalid This doesn't seem right label Aug 15, 2021
@bkw777
Copy link
Owner

bkw777 commented Aug 15, 2021

In the end I'm categorizing this the same way as mainline kernels failing to boot on zfs. #55 #64. It doesn't break anyone's system, the new kernel simply doesn't boot, just like any other new mainline kernel might not boot for countless reasons. The previous kernel is still there, because one thing we do do is decline to uninstall the kernel that's currently running, which means no matter what a new kernel does, you still always have at least the one other runnable kernel installed and bootable. IE: installing a kernel that doesn't boot is not harmful.

@bkw777 bkw777 closed this as completed Aug 15, 2021
@bkw777 bkw777 mentioned this issue Aug 21, 2022
Closed
@bkw777
Copy link
Owner

bkw777 commented Aug 21, 2022

Perhaps this is useful. I have not tried it.
https://github.com/M-P-P-C/Signing-a-Linux-Kernel-for-Secure-Boot

@msangel
Copy link

msangel commented Sep 14, 2022

All the instructions are fine untill the drive is not encrypted with luks... Signing kernel with instructions above - ok, Loading cryptsetup - fail.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
invalid This doesn't seem right
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@msangel @maxried @bkw777