21.04 - MOK signed custom kernel not booting "invalid signature"

So before anyone else asks, is there a reason you don't disable SecureBoot and make things easier?

If its a single boot Ubuntu, why use secure boot and complicate things?

Disable secure boot would be one option. But it's indeed dual boot to windows too.

And the other question is: It worked before upgrading to 21.04 - what happened so it stopped working?

Why wasn't that in the original question? Giving as much information about the system is key to effective support

@andrew No offense.

Returning to my initial question:
Why does Ubuntu 21.04 not boot MOK signed kernel even if they worked with 20.10 before or even if I compile a new kernel and MOK sign it on Ubuntu 21.04. Whether or not it is dual boot to windows.

Possibly a bug.....

It seems like you answered your own question. You can try the workaround suggested in comment 14:
https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1925010

Or maybe you could temporarily disable SecureBoot and update the affected package. Then, re-enable. Don't boot into Windows in between if you're really afraid of malware.

Thanks Daniel, I tried and followed steps in comment #14 but this broke boot to grub entirely on my system.

The system could not boot into grub, therefore Windows recovery mode started immediately, which ironically did not know what to do! :D

So I restored the bootx64.efi with the shipped shimx64.efi and system boot to grub recovered.
Booting the signed kernel in non secure boot works. It's just the signature verification which seems to fail after upgrading to 21.04. BUT, only for MOK-signed kernels. As described earlier booting the stock ubuntu kernel works with secure boot.

Do I have to reinitialize MOK? - If yes, how should I proceed best?

I just wanted to chime in here with the problem I am also experiencing.

I tend to run mainline kernels from Ubuntu which are unsigned. I am wanting to sign kernels for use in Secure Boot.

https://ubuntu.com/blog/how-to-sign-things-for-secure-boot

I have previously used the [sbsign] method to sign the mainline kernels on 20.10, but something about my MOK keys must not be correct for signing kernels. The enrolled MOK key does sign DKMS kernel modules, like the nvidia driver just fine.

Running "sudo openssl x509 -in /var/lib/shim-signed/mok/MOK.pem -text" shows the Extended Key Usage:

            X509v3 Extended Key Usage:
                Code Signing, 1.3.6.1.4.1.2312.16.1.2

"mokutil --list"-enrolled shows the key I used to signed the kernel is in fact correctly enrolled.

My understanding is that this Code Signing value is very important to describe what a MOK private key is allowed to sign. I believe that shim checks the Linux image that is signed with the correct Code Signing codes and if it doesn't match what it expects it returns the "invalid signature" error. Anyway, for whatever reason, Ubuntu 21.04 does not allow me to boot these signed kernels like 20.10 did. I do seem to be loading the Grub2 Shim EFI boot loader which should validate the signed image, but it does not.

:~$ efibootmgr -v
BootCurrent: 0000
Timeout: 1 seconds
BootOrder: 0000,0001,0002,0003
Boot0000* ubuntu HD(1,GPT,a015757e-7c1a-46b4-aacb-6c6bd179f381,0x800,0x76800)/File(\EFI\UBUNTU\SHIMX64.EFI)
Boot0001* UEFI:CD/DVD Drive BBS(129,,0x0)
Boot0002* UEFI:Removable Device BBS(130,,0x0)
Boot0003* UEFI:Network Device BBS(131,,0x0)

Thanks Bruno Demartino, that solved my question.

I didn't expect that I had to create a new key with a different Code Signing Value when the Ubuntu delivered MOK key worked before.

So I followed the steps to create my own MOK key enrolled the key and used it to sign the kernel and Secure Boot works as expected.

Thanks Bruno for detailed explanation!

If you're like me and you tried #14 before reading further down in the thread and now you can't boot at all (or only in windows)? Running boot-repair from a ubuntu image running on USB fixed that for me. Furthermore, signing with "1.3.6.1.4.1.2312.16.1.1" per post #10 fixed the unsigned kernel messages I was getting.

Brilliant, thank Bruno. I've created a guide with scripts for this in my following GitHub repo: https://github.com/berglh/ubuntu-sb-kernel-signing. It includes scripts for automatically signing installed kernels.

Here are some steps you can take to troubleshoot and resolve the problem:

Verify Secure Boot Configuration:

Ensure that Secure Boot is still enabled in your system firmware/BIOS settings.
Check if any Secure Boot-related settings have changed during the upgrade.
Check Key Expiry:

Verify that the MOK key used for signing the kernel has not expired. If the key has expired, you may need to generate a new key and sign the kernel again.
Review Kernel Configuration:

Confirm that the kernel configuration and build process are correct. Ensure that you're using the appropriate settings and patches for your Surface Pro model.
Check if there are any specific requirements or changes in the kernel configuration for Ubuntu 21.04.
Apply Updates:

Make sure your system is up-to-date with the latest software updates and security patches. Run sudo apt update followed by sudo apt upgrade to ensure all packages are current.
Review Boot Logs:

Examine the boot logs for any error messages related to Secure Boot, signature verification, or kernel loading issues. Check the output of dmesg and /var/log/boot.log.
Shim and Kernel Bug Reports:

Keep an eye on bug reports related to shim and the Ubuntu kernel in Launchpad. The bug reports you've mentioned may be relevant, and it's possible that a fix or workaround has been provided.
Community Support:

Seek assistance from the Ubuntu community forums or mailing lists. Other users who have faced similar issues may provide insights or solutions.
Consider Downgrading:

If the issue persists and it's critical for your system, consider downgrading to Ubuntu 20.10 until a resolution is found. Make sure to back up your data before attempting any major changes.