I am experiencing the same issue when using the Ubuntu generated MOK
cert to sign Ubuntu mainline kernels on Hirsute. I receive the exact
same error as the OP: "invalid signature" when grub tries to start the
manually signed kernel. The regular linux images from the Ubuntu PPAs
work just fine as they're signed by Canonical certs.
I have correctly enrolled the certificate as it's needed for the nvidia
driver kernel modules (DKMS) and these are loading correctly.
MOK_DIRECTORY="/var/lib/shim-signed/mok"
sbsign --key "$MOK_DIRECTORY/MOK.priv" --cert "$MOK_DIRECTORY/MOK.pem" --output
"$KERNEL_IMAGE" "$KERNEL_IMAGE"
Running "sudo openssl x509 -in /var/lib/shim-signed/mok/MOK.pem -text"
shows the Extended Key Usage:
X509v3 Extended Key Usage:
Code Signing, 1.3.6.1.4.1.2312.16.1.2
My understanding is that this Code Signing value is very important to
describe what a MOK private key is allowed to sign. I believe that shim
checks the Linux image that is signed with the correct Code Signing
codes and if it doesn't match what it expects it returns the "invalid
signature" error. Anyway, for whatever reason, Ubuntu 21.04 does not
allow me to boot these signed kernels like 20.10 did. I do seem to be
loading the Grub2 Shim EFI boot loader which should validate the signed
image, but it does not.
I have now validated the same error on two different machines: Dell
Precision laptop and an AMD 5900X workstation on 21.04. So, I'm pretty
confident it's not limited to just my specific upgraded instance.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1928917
Title:
21.04 - MOK signed custom kernel not booting "invalid signature"
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+bug/1928917/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
