From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from msg-1.mailo.com (msg-1.mailo.com [213.182.54.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E29698F6E for ; Wed, 12 Oct 2022 20:32:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=mailo.com; s=mailo; t=1665606129; bh=C5Zp9rtepq3yTOx71vbBgzYlBW6fV3E4fSfjzMYSRs8=; h=X-EA-Auth:Date:From:To:Cc:Subject:Message-ID:References: MIME-Version:Content-Type:In-Reply-To; b=BKowONZSgA8fKGh4WhVpz561rukhWtH8hZ3biPuu/CF8CiWOzYxKCBz/ylcMYpiiv veNthNbqV5aBU5cfqwtJRuUu+GQVV9Y1PqkVoBHJ9mq7pa/Tqtgp1rjuxLVlP7IFuL XPLguf43TMIVreOVO3bgdrCpaFHMmfjtR/CThi8U= Received: by b-3.in.mailobj.net [192.168.90.13] with ESMTP via [213.182.55.206] Wed, 12 Oct 2022 22:22:09 +0200 (CEST) X-EA-Auth: 5pHdRKnMniSJyUFMLyoCqHzNkBoIfTz1CxvEGbLGNi+PQtJ1ChwibuXUNjzQFXIWpjPtTMMemaXudzJA9QBwdHqtBg/EhFV+ Date: Thu, 13 Oct 2022 01:52:06 +0530 From: Deepak R Varma To: Julia Lawall Cc: outreachy@lists.linux.dev Subject: Re: trouble booting into staging kernel Message-ID: References: Precedence: bulk X-Mailing-List: outreachy@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: On Mon, Oct 10, 2022 at 01:25:56AM +0530, Deepak R Varma wrote: > On Sun, Oct 09, 2022 at 09:12:37PM +0200, Julia Lawall wrote: > > > > > > On Mon, 10 Oct 2022, Deepak R Varma wrote: > > > > > On Sun, Oct 09, 2022 at 07:56:51PM +0200, Julia Lawall wrote: > > > > > > > > > > > > On Sun, 9 Oct 2022, Deepak R Varma wrote: > > > > > > > > > Hello, > > > > > I am natively running 5.15.0-48-generic on my HP Laptop with Secure boot on. I > > > > > tried to follow the Kernel First patch tutorial steps and managed to build > > > > > Kernel release 6.0.0rc4. There were issues during the module building associated > > > > > with the certificates / signing of the modules. I got those supressed by > > > > > emptying the following two config parameters as copied over from the native > > > > > config file: > > > > > > > > > > CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem" > > > > > CONFIG_SYSTEM_REVOCATION_KEYS="debian/canonical-revoked-certs.pem" > > > > > > > > > > set to new value > > > > > > > > > > CONFIG_SYSTEM_TRUSTED_KEYS="" > > > > > CONFIG_SYSTEM_REVOCATION_KEYS="" > > > > > > > > > > The build was successful, however, I am unable to boot into my new kernel and > > > > > have received following errors: > > > > > > > > > > error: bad shim signature > > > > > Loading initial ramdisk > > > > > error: you need to load the kernel first > > > > > > > > > > I tried to seek from net, but did not find any workable resolution. Can you > > > > > please suggested how can I correct this error or if I missed any steps? > > > > > > > > Maybe you have to remove secure boot? I have the impression that I did > > > > that on one of my machines, but I don't have that machine in front of me. > > > > > > Thank you for the quick response. I did try disabling the secure boot option and > > > also cleared the certificate DB. Tried a few combinations of these options. > > > Unfortunately, nothing helped so far. > > > > Did you try what is described here? > > > > https://unix.stackexchange.com/questions/701612/cant-load-self-signed-kernel-with-secure-boot-on-bad-shim-signature > > I am planning to do the following from this link next. I will let you know how > it goes. Hi Julia, I realized that working with the certificates is very complex. I also encountered additional issues during module building step. It's looking good now. I was able to get past the module singing issues during the installation steps using this [1] link. However, I am now unable to load the kernel image since it is not signed. I am going to attempt to sign the image and also add the certificate to the db. Hopefully that will be the last step before I can proceed to sharing my first patch. [1]: https://github.com/andikleen/simple-pt/issues/8 Thank you, ./drv > > Create your own secureboot signing certificate without such an EKU, enroll it into either mok or db, and use it for signing. > > Thank you, > ./drv > > > > > julia > > > > > > > > Let me know if I should share any of the files / logs from my system for your > > > review. > > > > > > > > > > > Welcome, by the way :) > > > > > > Thank you Julia. Pleased to be part of this internship challenge. > > > > > > ./drv > > > > > > > > > > > julia > > > > > > > > > > > > > >