I am trying to install in my Rocky 9 system (5.14.0-70.26.1.el9_0.x86_64) the kernel-ml but the out of the box installation (dnf install kernel-ml kernel-ml-devel) leads to the following problems:
It appears that is not signed because when booting from it immediately after GRUB I am getting the below :
error: ../../grub-core/kern/efi/sb.c:183:bad shim signature.
error: ../../grub-core/loader/i386/efi/linux.c:233:you need to load the kernel first.
Press any key to continue...
I believe I was able to overcome this by following the steps from this guide , although a few commands have to be changed to match Rocky.
So now when it starts to boot, a few seconds after (~4sec) it is stopped as soon as the USB keyboard is detected.
I guess this has to do with the operating system disk being encrypted since in the “stock” kernel at that point it is asking for the LUKS password of the encrypted disk.
With kernel-ml it just stayed there without being able to type anything and the laptop is unresponsive.
The thing is that I don’t know/have the ELRepo private key to sign the kernel with it (needs the private key besides the certificate), which makes sense as it is a private key.
So I went forward and inserted the certificate that they provide for their kmod packages but didn’t make any difference. kernel-ml couldn’t be booted with this error:
error: ../../grub-core/kern/efi/sb.c:183:bad shim signature.
error: ../../grub-core/loader/i386/efi/linux.c:233:you need to load the kernel first.
Press any key to continue...
Tried to sign the kernel with my personal which is already inserted as it was done before, but again boot process starts and then stacks at the same step.
I am not 100% confident that the signing I am doing to the kernel is enough and/or correct.
For a moment my IT disabled the SecureBoot from BIOS and the laptop booted to the installed kernel-ml without a problem. Actually both signed and unsigned newly kernel-ml could be booted successfully.
Hence I believe I am missing something.
Unfortunately I cannot keep it as is since the IT policy requires the SecureBoot to be enabled and with that in place kernel-ml is not working.
The elrepo kernels are already signed during their build process, much like how we (release engineering) sign the stock kernels provided by the distribution. There should be no reason to try to sign the binary files with your own keys.
Sorry, but kernel-ml is not signed for SecureBoot as indicated in kernel-ml, 2nd paragraph in the Notes section:
These packages are provided ‘As-Is’ with no implied warranty or support. Using the kernel-ml may expose your system to security, performance and/or data corruption issues. Since timely updates may not be available from the ELRepo Project, the end user has the ultimate responsibility for deciding whether to continue using the kernel-ml packages in regular service. These packages are not signed for SecureBoot.
ELRepo’s kmod packages are all signed with own SB-key.