Kernel-ml with UEFI secure boot and LUKS support

Rocky Linux General
1

Hello experts!

I am trying to install in my Rocky 9 system (5.14.0-70.26.1.el9_0.x86_64) the kernel-ml but the out of the box installation (dnf install kernel-ml kernel-ml-devel) leads to the following problems:

  1. It appears that is not signed because when booting from it immediately after GRUB I am getting the below :
error: ../../grub-core/kern/efi/sb.c:183:bad shim signature.
error: ../../grub-core/loader/i386/efi/linux.c:233:you need to load the kernel first.

Press any key to continue...

I believe I was able to overcome this by following the steps from this guide , although a few commands have to be changed to match Rocky.

  1. So now when it starts to boot, a few seconds after (~4sec) it is stopped as soon as the USB keyboard is detected.

I guess this has to do with the operating system disk being encrypted since in the “stock” kernel at that point it is asking for the LUKS password of the encrypted disk.

With kernel-ml it just stayed there without being able to type anything and the laptop is unresponsive.

Are there any hints?

2

The kernels should be signed with ELRepo’s keys. See this page.

3

That’s a good pointer @nazunalika !

Thanks for bringing this up.

4

The thing is that I don’t know/have the ELRepo private key to sign the kernel with it (needs the private key besides the certificate), which makes sense as it is a private key.

So I went forward and inserted the certificate that they provide for their kmod packages but didn’t make any difference.
kernel-ml couldn’t be booted with this error:

error: ../../grub-core/kern/efi/sb.c:183:bad shim signature.
error: ../../grub-core/loader/i386/efi/linux.c:233:you need to load the kernel first.

Press any key to continue...

Tried to sign the kernel with my personal which is already inserted as it was done before, but again boot process starts and then stacks at the same step.

Any other pointers/recommendations?

5

I am not 100% confident that the signing I am doing to the kernel is enough and/or correct.

For a moment my IT disabled the SecureBoot from BIOS and the laptop booted to the installed kernel-ml without a problem. Actually both signed and unsigned newly kernel-ml could be booted successfully.

Hence I believe I am missing something.

Unfortunately I cannot keep it as is since the IT policy requires the SecureBoot to be enabled and with that in place kernel-ml is not working.

So, I am still looking for a solution here…

6

The elrepo kernels are already signed during their build process, much like how we (release engineering) sign the stock kernels provided by the distribution. There should be no reason to try to sign the binary files with your own keys.

%pesign -s -i $SignImage -o vmlinuz.signed -a %{secureboot_ca_0} -c %{secureboot_key_0} -n %{pesign_name_0}

You should reinstall the kernel and start fresh and ensure the secure boot keys from elrepo are setup correctly in the system firmware.

7

Sorry, but kernel-ml is not signed for SecureBoot as indicated in kernel-ml, 2nd paragraph in the Notes section:

These packages are provided ‘As-Is’ with no implied warranty or support. Using the kernel-ml may expose your system to security, performance and/or data corruption issues. Since timely updates may not be available from the ELRepo Project, the end user has the ultimate responsibility for deciding whether to continue using the kernel-ml packages in regular service. These packages are not signed for SecureBoot.

ELRepo’s kmod packages are all signed with own SB-key.

8

@nazunalika , the keys from elrepo are set in the system firmware.
But, as @toracat said kernel-ml is not signed, only the kmod packages.

So I have somehow to properly sign it to use it.

Any pointers anyone?