does cubic sign the image when installing a new kernel?

Asked by Mike Vanderlaan on 2019-08-13

I took a standard ubuntu-16.04.3-desktop-amd64.iso and booted it from a system with secure boot and it booted fine.

I put the image in cubic, and in chroot installed a different kernel with:

apt-get install linux-headers-4.15.0-55-generic
apt-get install linux-image-4.15.0-55-generic

I clicked on next and on the ISO Boot Kernel tab, I selected the new kernel:

  4.15.0-55

then I generated a new iso and when I boot to it I get:

error: /casper/vmlinuz has invalid signature. When I turn off secure boot, it works fine. I was reading that the secure boot signing is done on install. The same kernel listed above can be installed to a running systems hard drive and works fine in secure boot. Is there another step that cubic needs to do to support secure boot?

Question information

Language:
English Edit question
Status:
Answered
For:
Cubic Edit question
Assignee:
No assignee Edit question
Last query:
2019-08-13
Last reply:
2019-08-14
Cubic PPA (cubic-wizard) said : #1

Cubic doesn't sign the kernel, so you would not be able to use secure boot.

I suspect the image needs to be signed by Canonical's private key, which would not be possible for a custom ISO.

However if you have more information, and can describe the steps, I can implement the feature in Cubic.

Mike Vanderlaan (seizepuppet) said : #2

Hi,

    Thanks for the quick response. I don't understand the process yet, but I'm going to keep digging. If I can manually sign it and get it to work, I'll send you the steps. The part I don't understand is from https://wiki.ubuntu.com/UEFI/SecureBoot it mentions:

"On Ubuntu, all pre-built binaries intended to be loaded as part of the boot process, with the exception of the initrd image, are signed by Canonical's UEFI certificate, which itself is implicitly trusted by being embedded in the shim loader, itself signed by Microsoft."

   Except I git pulled a version of ubuntu 16, recompiled the kernel into deb files and installed on a system with secure boot enable, and it booted into linux without adding any keys to the bios. So there is some way to sign locally compiled kernels and still be considered in secure boot. I'll keep investigating. Would you prefer I mark this problem solved since you are waiting on me?

                 mike

Cubic PPA (cubic-wizard) said : #3

It's interesting that worked for you ~with~ Secure Boot.
(Note that Cubic explicitly excludes vmlinuz images ending with the extension "*.efi" when listing kernels on the Boot Kernels tab).

According to this, there are only two ways to sign an image:

https://wiki.ubuntu.com/UEFI/SecureBoot/KeyManagement/ImageSigning

However, the link you supplied states:

"In the case of unofficial kernels, or kernels built by users, additional steps need to be taken if users wish to load such kernels while retaining the full capabilities of UEFI Secure Boot. All kernels must be signed to be allowed to load by GRUB when UEFI Secure Boot is enabled, so the user will require to proceed with their own signing. Alternatively, users may wish to disable validation in shim while booted with Secure Boot enabled on an official kernel by using 'sudo mokutil --disable-validation', providing a password when prompted, and rebooting; or to disable Secure Boot in firmware altogether. "

Can you help with this problem?

Provide an answer of your own, or ask Mike Vanderlaan for more information if necessary.

To post a message you must log in.