How to Create a Secure Bootable Linux Kernel Image Package

Asked 2 months ago, Updated 2 months ago, 4 views

Ubuntu 16.04.4 LTS is being used with Microsoft Surface pro3.
Cannot add wireless LAN interface to bridge interfaceYes.
You are trying to create a .deb package by modifying the kernel for a purpose in .

First, build and install the package without fixing it

$apt source linux-image-4.13.0-38-generic
$ dpkg-buildpackage-B

The kernel image package has now been created.
Then install the package.

$sudodpkg-irinux-image-4.13.0-38-generic_4.13.0-38.43 to 16.04.1_amd64.deb

The installation was successful and I booted it, but it was blocked by a secure boot and failed to boot.
If you disable secure boot, it will boot, but if Surface disables secure boot, it will boot. I'd like to boot with secure boot enabled because I mess with the red power-on logo.

To boot a built kernel to secure boot I can imagine that you might need to sign your name as a procedure.
 1. Generate your own certificate and private key
 2. Sign (probably *.ko too)
 3. Install the certificate into UEFI
I think you need to do this.

However, I don't know exactly what to do.
If I put my certificate and private key somewhere in the downloaded source, will they do whatever they want?
Do I have to do the steps I imagine myself?

By the way, install ubuntu on the surface and launch Guest OS: Windows 10 on VirtualBox
It is used in a sarcastic way.
Secure boot blocked when modprobeing the VirtualBox driver
I have the experience of successfully modprobe even with secure boot by referring to the .

How do I enable a built kernel to boot to secure boot?

linux ubuntu

2022-09-30 14:24

1 Answers

↑ This is a wiki for archlinux, but I think it will be helpful.

You can download signed PreLoader.efi and HashTool.efi from the "Manual Download" link.

  • The PreLoader has been signed, so it can boot to secure boot.
  • PreLoader loads and boots bootloader (systemd-boot, grub, etc.).
  • boot loader loads and boots kernel image

If a security error occurs along the way, the signed HashTool starts immediately and the user can enter the file name on the spot.Enroll to start the binary.Also, loading *.ko is already independent of secure boot, so it reads without any action.

I use this method, but
In this flow, instead of signing the kernel image when it was created, it was enrolled at boot time, so it is powerless to tamper with it until it is enrolled after creating the kernel image.

The reason why I want to support secure boot is

Surface fiddles with the red power-on logo when secure boot is disabled.

Therefore, I think the above method is not a problem, but if it is not, and you still want to sign it yourself,
On the page above, there is an item
Use the key you signed yourself. I think this method will allow you to sign the kernel image you created right away.
I've never done it before, so I don't know the details.

2022-09-30 14:24

If you have any answers or tips

© 2022 OneMinuteCode. All rights reserved.