A step-by-step guide on how to install and sign a Linux kernel to boot with Secure Boot, because it shouldn't be so hard to have the latest drivers for your machine.
I do not guarantee this will work with your machine, so do it at your own risk. Although in a scenario in which the new kernel won't boot it should be possible to rollback to the working one.
(This is currently a work in progress, so not all information is final and more will be added in the future)
Hardware vendors, such as Intel, have started to disable features if Secure Boot is not enabled, which could leave a Linux distro completely unable to use integrated graphics. On top of that, some drivers are only now provided through new Kernel releases, so there is no easy way to install the drivers you may need. These problems will be more relevant with laptop installations of Linux.
I spent a long time trying to battle against Secure Boot not letting me install new kernels, because you need to sign them images yourself, and the guides I've found on how to do so tend to be aimed towards system administrators who know more than a general Linux user. So I decided to put a clear step-by-step guide because I think everyone deserves the latest Linux kernels.
To cover the process beginning to end we'll separate it into two steps: installing a kernel, and signing it for Secure Boot.
First you can check which kernel version you are currently using with:
uname -rIn your directory of choice create a folder were you can place the files we'll handle during this process.
We can get the kernel files from Ubuntu's Mainline repository, note that kernels that end with "-rcX" are "Release Candidate" builds that may not be as stable. For a 64-bit architecture (amd64) you can download the following 4 files:
- linux-headers-<version-num&mt_all.deb
- linux-headers-_amd64.deb
- linux-image-_amd64.deb
- linux-modules-_amd64.deb
Put all the downloaded packages into a folder, then within that folder install the downloaded files with:
sudo dpkg -i *.debOnce the kernel has been installed we can proceed to siging it for Secure Boot.
In the same folder we used for installing the kernels, create a file named "mokconfig.cnf", place the following text, and change the text inside "<>": (you may also download the template file from here)
Click to view text for mokconfig.cnf
# This definition stops the following lines failing if HOME isn't defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = v3
string_mask = utf8only
prompt = no
[ req_distinguished_name ]
countryName = <YOURcountrycode>
stateOrProvinceName = <YOURstate>
localityName = <YOURcity>
0.organizationName = <YOURorganization>
commonName = Secure Boot Signing Key
emailAddress = <YOURemail>
[ v3 ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical,CA:FALSE
extendedKeyUsage = codeSigning,1.3.6.1.4.1.311.10.3.6
nsComment = "OpenSSL Generated Certificate"
within the same directory run the following command to create our MOK key:
openssl req -config ./mokconfig.cnf \
-new -x509 -newkey rsa:2048 \
-nodes -days 36500 -outform DER \
-keyout "MOK.priv" \
-out "MOK.der"to sign the kernel we need to convert the key to PEM format for "sbsign" to work with it:
openssl x509 -in MOK.der -inform DER -outform PEM -out MOK.pemLet's enroll our new MOK key into our shim installation:
sudo mokutil --import MOK.deryou'll be asked for a password, you'll need it after rebooting the computer.
Now that we have a key, we can sign the kernel images we installed before. We can do so with the following command, make sure to replace your installed version
sudo sbsign --key MOK.priv --cert MOK.pem /boot/vmlinuz-[KERNEL-VERSION]-generic --output /boot/vmlinuz-[KERNEL-VERSION]-generic.signedThere are tools available that simplify the installation and management of Linux kernel in your machine, e.g. Ukuu, its deprecated free version Ukuu Github, or its maintained open-source fork Mainline
Here is a list of different sources I used in making this guide:
Ubuntu's Mainline Kernels:
Installing Ubuntu Kernels:
Signing Kernel:
- https://ubuntu.com/blog/how-to-sign-things-for-secure-boot
- https://gloveboxes.github.io/Ubuntu-for-Azure-Developers/docs/signing-kernel-for-secure-boot.html
Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.