Ubuntu
linux-signed package

how can I build ubuntu linux kernel package ?

Asked by miufullzero

hi,

  how can I build ubuntu kernel with signed?

run fakeroot debian/rules binary

I hope get linux-image-signed-5.x.x.$(myarch).deb

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu linux-signed Edit question
Assignee:
No assignee Edit question
Solved by:
miufullzero
Solved:
Last query:
Last reply:
Revision history for this message
Manfred Hampl (m-hampl) said : 		#1

Why do you ask another question with the same contents?
You already have accepted the answer on https://answers.launchpad.net/ubuntu/+source/linux-signed/+question/697536
Do you expect different answers when you ask the same question again and again?

Revision history for this message
miufullzero (mfz0721) said : 		#2

I didn't get usefull answers

Revision history for this message
Manfred Hampl (m-hampl) said : 		#3

Still the same answer:

You can't build the signed kernel package, because you do not have access to the signing key.
It would contradict the intentions of kernel signing if everybody could sign arbitrary software with the officially certified signature.

Revision history for this message
miufullzero (mfz0721) said : 		#4

how can I access to the signing key?

Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#5

Can you please just use ONE question rather than making a million questions. This isn't how forums work

Revision history for this message
miufullzero (mfz0721) said : 		#6

how can I accessing to the singing key?

Revision history for this message
Manfred Hampl (m-hampl) said : 		#7

You can't.

Revision history for this message
miufullzero (mfz0721) said (last edit ): 		#8

why?

I need signed my ubuntu linux kernel

Revision history for this message
Manfred Hampl (m-hampl) said : 		#9

You have to distinguish two different kinds of kernel signing.

The official package linux-image-5.4.0-76-generic is signed with the signature key that is accepted by UEFI world-wide . There is no way that you can access that signing key, because it would contradict the intentions of kernel signing, if everybody could sign arbitrary software with the officially certified signature.

If you just want to create a private signature on kernel modules for loading them with secure boot, then you just have to create your own key, register it in the UEFI MOK database and sign the kernel modules with it. see https://wiki.ubuntu.com/UEFI/SecureBoot

Revision history for this message
miufullzero (mfz0721) said (last edit ): 		#10

how can I get the signature key ?

Revision history for this message
Manfred Hampl (m-hampl) said : 		#11

Which signature key do you want to get?

Revision history for this message
miufullzero (mfz0721) said (last edit ): 		#12

I want to get the signature key to signed ubuntu focal linux kernel any one.
I tried to checked out https://kernel.ubuntu.com/git/ubuntu/ubuntu-focal-signed.git
and following
fakeroot debian/rules binary

I didn't get signed debs
Thanks!

Revision history for this message
Manfred Hampl (m-hampl) said : 		#13

This is a kind of "master key" valid worldwide.
You cannot get access to that key.

Revision history for this message
miufullzero (mfz0721) said (last edit ): 		#14

When I following fakeroot debian/rules binary
those package can be created
block-modules-5.4.0-75-generic-di_5.4.0-75.84_arm64.udeb linux-tools-common_5.4.0-75.84_all.deb
crypto-modules-5.4.0-75-generic-di_5.4.0-75.84_arm64.udeb linux-tools-host_5.4.0-75.84_all.deb
debian.signed.all linux-udebs-generic_5.4.0-75.84_arm64.udeb
fat-modules-5.4.0-75-generic-di_5.4.0-75.84_arm64.udeb md-modules-5.4.0-75-generic-di_5.4.0-75.84_arm64.udeb
files message-modules-5.4.0-75-generic-di_5.4.0-75.84_arm64.udeb
fs-core-modules-5.4.0-75-generic-di_5.4.0-75.84_arm64.udeb mouse-modules-5.4.0-75-generic-di_5.4.0-75.84_arm64.udeb
fs-secondary-modules-5.4.0-75-generic-di_5.4.0-75.84_arm64.udeb multipath-modules-5.4.0-75-generic-di_5.4.0-75.84_arm64.udeb
ft_patch.tar.gz nfs-modules-5.4.0-75-generic-di_5.4.0-75.84_arm64.udeb
input-modules-5.4.0-75-generic-di_5.4.0-75.84_arm64.udeb nic-modules-5.4.0-75-generic-di_5.4.0-75.84_arm64.udeb
ipmi-modules-5.4.0-75-generic-di_5.4.0-75.84_arm64.udeb nic-shared-modules-5.4.0-75-generic-di_5.4.0-75.84_arm64.udeb
kernel-image-5.4.0-75-generic-di_5.4.0-75.84_arm64.udeb nic-usb-modules-5.4.0-75-generic-di_5.4.0-75.84_arm64.udeb
linux_5.4.0-75.84_arm64.tar.gz parport-modules-5.4.0-75-generic-di_5.4.0-75.84_arm64.udeb
linux-buildinfo-5.4.0-75-generic_5.4.0-75.84_arm64.deb plip-modules-5.4.0-75-generic-di_5.4.0-75.84_arm64.udeb
linux-cloud-tools-common_5.4.0-75.84_all.deb ppp-modules-5.4.0-75-generic-di_5.4.0-75.84_arm64.udeb
linux-doc_5.4.0-75.84_all.deb sata-modules-5.4.0-75-generic-di_5.4.0-75.84_arm64.udeb
linux-headers-5.4.0-75_5.4.0-75.84_all.deb scsi-modules-5.4.0-75-generic-di_5.4.0-75.84_arm64.udeb
linux-headers-5.4.0-75-generic_5.4.0-75.84_arm64.deb
linux-image-unsigned-5.4.0-75-generic_5.4.0-75.84_arm64.deb storage-core-modules-5.4.0-75-generic-di_5.4.0-75.84_arm64.udeb
linux-libc-dev_5.4.0-75.84_arm64.deb ubuntu-20.04-live-server-arm64.iso
linux-modules-5.4.0-75-generic_5.4.0-75.84_arm64.deb ubuntu-focal-signed
linux-modules-extra-5.4.0-75-generic_5.4.0-75.84_arm64.deb ubuntu-stable-focal
linux-source-5.4.0_5.4.0-75.84_all.deb usb-modules-5.4.0-75-generic-di_5.4.0-75.84_arm64.udeb
linux-tools-5.4.0-75_5.4.0-75.84_arm64.deb virtio-modules-5.4.0-75-generic-di_5.4.0-75.84_arm64.udeb
linux-tools-5.4.0-75-generic_5.4.0-75.84_arm64.deb

there is no linux-image-signed-5.4.0-75-generic_5.4.0-75.84_arm64.deb here

I have rewrite some codes,I want to use linux-image-signed-5.4.0-75-generic_5.4.0-75.84_arm64.deb to build custum ISO

Revision history for this message
Bernard Stafford (bernard010) said : 		#15

Kernel module signing facility
https://www.kernel.org/doc/html/v4.10/admin-guide/module-signing.html

The Linux Kernel’s documentation
https://www.kernel.org/doc/html/v4.10/index.html
General Index : https://www.kernel.org/doc/html/v4.10/genindex.html

Revision history for this message
miufullzero (mfz0721) said : 		#16

how does ubuntu signed the linux kernel?

Revision history for this message
Manfred Hampl (m-hampl) said : 		#17

A very limited group of canonical people has access to the signing key, but nobody else.

Revision history for this message
miufullzero (mfz0721) said : 		#18

No way to signed the ubuntu kernel?

Revision history for this message
Manfred Hampl (m-hampl) said : 		#19

See my comment #9

Why don't you just take the current version of the signed kernel packages from Ubuntu?
Why do you need to modify the kernel?
Why do you need to sign that modified kernel?
Can't you use your private MOK signature if you need it signed?

Revision history for this message
miufullzero (mfz0721) said (last edit ): 		#20

5.4.0-75.84 is a example
The kernel doesn't supports u-boot booting,My fireware boot the kernel must signed

how can I reuse https://kernel.ubuntu.com/git/ubuntu/ubuntu-focal-signed.git/commit/?id=36e6973e2116e08aa2c6a4ff47f220de625b8ff1

Revision history for this message
miufullzero (mfz0721) said : 		#21

.