a problem of ubuntu build system
Seth Forshee
seth.forshee at canonical.com
Fri Jun 18 12:44:27 UTC 2021
Please send emails to this mailing list as plain text, not
html-formatted.
On Fri, Jun 18, 2021 at 11:38:34AM +0800, hanguangyu1268 wrote:
> hi,
>
> how can I build ubuntu kernel with signed?
>
> run fakeroot debian/rules binary
>
> I hope get linux-image-signed-5.x.x.$(myarch).deb
You cannot get a signed kernel as an output from our linux package
build. It doesn't produce a signed kernel, as the actual signing of
kernels for Ubuntu is done by launchpad.
What you can do is create your own signing key and use sbsign to sign
kernels you build with that key. In order to boot those kernels under
UEFI secure boot you will need to enrol the key with shim as a MOK. Here
is some information about doing this:
https://ubuntu.com/blog/how-to-sign-things-for-secure-boot
Be sure to read that carefully, as it notes changes which are required
to the openssl.cnf as given in order to sign kernels. There's an OID
which must be removed from extendedKeyUsage, or else the key will only
be valid for signing modules.
Seth
More information about the kernel-team
mailing list