Signing kernel

Dmitry Kasatkin dmitry.kasatkin at
Wed Sep 25 14:11:57 UTC 2013

On Wed, Sep 25, 2013 at 4:47 PM, Andy Whitcroft <apw at> wrote:
> On Wed, Sep 25, 2013 at 01:50:58PM +0300, Dmitry Kasatkin wrote:
>> Hello,
>> How Ubuntu kernel signing is done?
>> I am able to use "sbsing" to sign the kernel and boot it from UEFI
>> boot manager or from other one like gummitboot.
>> But my Ubuntu grub does not want to boot it..
>> Just hangs..
>> Any advises?
> As far as I know that is the same proceedure as used to sign the
> kernels.  They are signed using sbsign thought obviously using a secret
> key that is specific to Ubuntu.  How does gummitboot allow you to add
> your personal secret key for your kernels?
> -apw

I took ownership of the platform by enrolling my own keys: PK, KEK and db.

And I do signing using sbsign.
UEFI is able to boot my kernel directly or using UEFI bootloaders such
as gummiboot.

But Ubuntu grub does not want to boot it.
I thought it should use "db" keys to verify.

Or does it use only Canonical key?


More information about the kernel-team mailing list