berglh / ubuntu-sb-kernel-signing Goto Github PK

Hello thanks for this project! I have a question regarding one of the package dependencies in the mok-setup.sh script. The script checks whether fwts is installed, I was wondering if this dependency is required and if so, what is it used for?

Installing fwts in Ubuntu 22.04 requires gcc-12 (default gcc-11) and updating /usr/bin/gcc to use 12, e.g.

sudo apt install gcc-12
sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-12 12

If the package isn't needed, this extra system change is not required.

I've followed your instructions:

cd ubuntu-sb-kernel-signing/
sudo cp sbin/00-signing /etc/kernel/postinst.d
sudo chown root:root /etc/kernel/postinst.d/00-signing
sudo chmod u+rx /etc/kernel/postinst.d/00-signing
sudo reboot

enrolled the key:
mokutil --list-enrolled

cd ubuntu-sb-kernel-signing/
cd sbin/
sudo bash mok-setup.sh

and then installed Liquorix:

sudo apt install --force-reinstall true linux-image-liquorix-amd64 linux-headers-liquorix-amd64
sudo update-initramfs -u -k all
sudo update-grub
sudo reboot

But it doesn't boot with this kernel.
What am I missing?

From u/FloatyFish,

Ref: Reddit Comment

Below is what I get when I try to sign it:

/etc/kernel/postinst.d/00-mainline-signing: line 55: cd: too many arguments
run-parts: /etc/kernel/postinst.d/00-mainline-signing exited with return code 1

So I ran echo $HOME, and there weren't any spaces in the username folder. As for the kernel I'm trying to install, I was attempting to install 5.15.6 on Ubuntu 21.10.

What's even stranger is that I looked at upgrading my kernel (5.13.something) to the latest 5.14 release (5.14.21) to see if maybe it was a version issue, and to my surprise the build went through perfectly. I then attempted to build 5.15.6 and 5.15.0 to see if something had changed, and I still got the error that I posted in my previous post.

#3 Adds a potential fault https://github.com/berglh/ubuntu-sb-kernel-signing/blob/main/sbin/zz-mainline-signing#L41.

I now remember why we actually want to ensure that we always only return one kernel image path such as with grep -m1. It's possible if you've downloaded different kernels matching the pattern to different folders that this will then throw an error later in the script. Thus, we should only return one result.

If we do get an error with multiple matches, it might be good to error out here with a message to that effect i.e. (multiple matches were found, remove one and try again).

It might be desirable to only sign Liqourix kernels with a dedicated script. If someone is interested in this, please add your comment to register your interest.

I have installed Ubuntu 22.04 with kernels 5.15.0-33 and 5.15.0-30, which are signed by Canonical. However with Secure Boot Enabled, these kernels are not recognized. I get the message vmlinuz is not signed, must load kernel first. I have created a MOK.der but am not sure that signing these kernels will solve the problem since they are already signed. My system is ASROCK AB350 Pro 4 with Debian 11 (KickSecure) and Ubuntu 22.04. KickSecure Debian 11 boots OK with Secure Boot Enabled and Ubuntu used to boot before I added KickSecure Debian.

Hi, I'm Rishi K. Bose and I use your program for my laptop with UEFI. However, the program has a date when it will expire.

Hello ! I would like to know what are the two arguments that need to be passed to the scripts in order to make them work, can you help me?

I find myself going back to this repo every time I update my kernel.
Even though I always update with mainline, the manual approach always works and it's a 3 step procedure.

Thank you!