trouble booting into staging kernel

trouble booting into staging kernel

[Deepak R Varma]

Hello,
I am natively running 5.15.0-48-generic on my HP Laptop with Secure boot on. I
tried to follow the Kernel First patch tutorial steps and managed to build
Kernel release 6.0.0rc4. There were issues during the module building associated
with the certificates / signing of the modules. I got those supressed by
emptying the following two config parameters as copied over from the native
config file:

CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"
CONFIG_SYSTEM_REVOCATION_KEYS="debian/canonical-revoked-certs.pem"

set to new value

CONFIG_SYSTEM_TRUSTED_KEYS=""
CONFIG_SYSTEM_REVOCATION_KEYS=""

The build was successful, however, I am unable to boot into my new kernel and
have received following errors:

error: bad shim signature
Loading initial ramdisk
error: you need to load the kernel first

I tried to seek from net, but did not find any workable resolution. Can you
please suggested how can I correct this error or if I missed any steps?

Thank you,
Deepak.

Re: trouble booting into staging kernel

[Julia Lawall]

On Sun, 9 Oct 2022, Deepak R Varma wrote:

> Hello,
> I am natively running 5.15.0-48-generic on my HP Laptop with Secure boot on. I
> tried to follow the Kernel First patch tutorial steps and managed to build
> Kernel release 6.0.0rc4. There were issues during the module building associated
> with the certificates / signing of the modules. I got those supressed by
> emptying the following two config parameters as copied over from the native
> config file:
>
> CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"
> CONFIG_SYSTEM_REVOCATION_KEYS="debian/canonical-revoked-certs.pem"
>
> set to new value
>
> CONFIG_SYSTEM_TRUSTED_KEYS=""
> CONFIG_SYSTEM_REVOCATION_KEYS=""
>
> The build was successful, however, I am unable to boot into my new kernel and
> have received following errors:
>
> error: bad shim signature
> Loading initial ramdisk
> error: you need to load the kernel first
>
> I tried to seek from net, but did not find any workable resolution. Can you
> please suggested how can I correct this error or if I missed any steps?

Maybe you have to remove secure boot?  I have the impression that I did
that on one of my machines, but I don't have that machine in front of me.

Welcome, by the way :)

julia

Re: trouble booting into staging kernel

[Deepak R Varma]

On Sun, Oct 09, 2022 at 07:56:51PM +0200, Julia Lawall wrote:
>
>
> On Sun, 9 Oct 2022, Deepak R Varma wrote:
>
> > Hello,
> > I am natively running 5.15.0-48-generic on my HP Laptop with Secure boot on. I
> > tried to follow the Kernel First patch tutorial steps and managed to build
> > Kernel release 6.0.0rc4. There were issues during the module building associated
> > with the certificates / signing of the modules. I got those supressed by
> > emptying the following two config parameters as copied over from the native
> > config file:
> >
> > CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"
> > CONFIG_SYSTEM_REVOCATION_KEYS="debian/canonical-revoked-certs.pem"
> >
> > set to new value
> >
> > CONFIG_SYSTEM_TRUSTED_KEYS=""
> > CONFIG_SYSTEM_REVOCATION_KEYS=""
> >
> > The build was successful, however, I am unable to boot into my new kernel and
> > have received following errors:
> >
> > error: bad shim signature
> > Loading initial ramdisk
> > error: you need to load the kernel first
> >
> > I tried to seek from net, but did not find any workable resolution. Can you
> > please suggested how can I correct this error or if I missed any steps?
>
> Maybe you have to remove secure boot?  I have the impression that I did
> that on one of my machines, but I don't have that machine in front of me.

Thank you for the quick response. I did try disabling the secure boot option and
also cleared the certificate DB. Tried a few combinations of these options.
Unfortunately, nothing helped so far.

Let me know if I should share any of the files / logs from my system for your
review.

>
> Welcome, by the way :)

Thank you Julia. Pleased to be part of this internship challenge.

./drv

>
> julia

Re: trouble booting into staging kernel

[Julia Lawall]

On Mon, 10 Oct 2022, Deepak R Varma wrote:

> On Sun, Oct 09, 2022 at 07:56:51PM +0200, Julia Lawall wrote:
> >
> >
> > On Sun, 9 Oct 2022, Deepak R Varma wrote:
> >
> > > Hello,
> > > I am natively running 5.15.0-48-generic on my HP Laptop with Secure boot on. I
> > > tried to follow the Kernel First patch tutorial steps and managed to build
> > > Kernel release 6.0.0rc4. There were issues during the module building associated
> > > with the certificates / signing of the modules. I got those supressed by
> > > emptying the following two config parameters as copied over from the native
> > > config file:
> > >
> > > CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"
> > > CONFIG_SYSTEM_REVOCATION_KEYS="debian/canonical-revoked-certs.pem"
> > >
> > > set to new value
> > >
> > > CONFIG_SYSTEM_TRUSTED_KEYS=""
> > > CONFIG_SYSTEM_REVOCATION_KEYS=""
> > >
> > > The build was successful, however, I am unable to boot into my new kernel and
> > > have received following errors:
> > >
> > > error: bad shim signature
> > > Loading initial ramdisk
> > > error: you need to load the kernel first
> > >
> > > I tried to seek from net, but did not find any workable resolution. Can you
> > > please suggested how can I correct this error or if I missed any steps?
> >
> > Maybe you have to remove secure boot?  I have the impression that I did
> > that on one of my machines, but I don't have that machine in front of me.
>
> Thank you for the quick response. I did try disabling the secure boot option and
> also cleared the certificate DB. Tried a few combinations of these options.
> Unfortunately, nothing helped so far.

Did you try what is described here?

https://unix.stackexchange.com/questions/701612/cant-load-self-signed-kernel-with-secure-boot-on-bad-shim-signature

julia

>
> Let me know if I should share any of the files / logs from my system for your
> review.
>
> >
> > Welcome, by the way :)
>
> Thank you Julia. Pleased to be part of this internship challenge.
>
> ./drv
>
> >
> > julia
>
>
>

Re: trouble booting into staging kernel

[Deepak R Varma]

On Sun, Oct 09, 2022 at 09:12:37PM +0200, Julia Lawall wrote:
>
>
> On Mon, 10 Oct 2022, Deepak R Varma wrote:
>
> > On Sun, Oct 09, 2022 at 07:56:51PM +0200, Julia Lawall wrote:
> > >
> > >
> > > On Sun, 9 Oct 2022, Deepak R Varma wrote:
> > >
> > > > Hello,
> > > > I am natively running 5.15.0-48-generic on my HP Laptop with Secure boot on. I
> > > > tried to follow the Kernel First patch tutorial steps and managed to build
> > > > Kernel release 6.0.0rc4. There were issues during the module building associated
> > > > with the certificates / signing of the modules. I got those supressed by
> > > > emptying the following two config parameters as copied over from the native
> > > > config file:
> > > >
> > > > CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"
> > > > CONFIG_SYSTEM_REVOCATION_KEYS="debian/canonical-revoked-certs.pem"
> > > >
> > > > set to new value
> > > >
> > > > CONFIG_SYSTEM_TRUSTED_KEYS=""
> > > > CONFIG_SYSTEM_REVOCATION_KEYS=""
> > > >
> > > > The build was successful, however, I am unable to boot into my new kernel and
> > > > have received following errors:
> > > >
> > > > error: bad shim signature
> > > > Loading initial ramdisk
> > > > error: you need to load the kernel first
> > > >
> > > > I tried to seek from net, but did not find any workable resolution. Can you
> > > > please suggested how can I correct this error or if I missed any steps?
> > >
> > > Maybe you have to remove secure boot?  I have the impression that I did
> > > that on one of my machines, but I don't have that machine in front of me.
> >
> > Thank you for the quick response. I did try disabling the secure boot option and
> > also cleared the certificate DB. Tried a few combinations of these options.
> > Unfortunately, nothing helped so far.
>
> Did you try what is described here?
>
> https://unix.stackexchange.com/questions/701612/cant-load-self-signed-kernel-with-secure-boot-on-bad-shim-signature

I am planning to do the following from this link next. I will let you know how
it goes.

Create your own secureboot signing certificate without such an EKU, enroll it into either mok or db, and use it for signing.

Thank you,
./drv

>
> julia
>
> >
> > Let me know if I should share any of the files / logs from my system for your
> > review.
> >
> > >
> > > Welcome, by the way :)
> >
> > Thank you Julia. Pleased to be part of this internship challenge.
> >
> > ./drv
> >
> > >
> > > julia
> >
> >
> >
>

Re: trouble booting into staging kernel

[Stefano Brivio]

Hi Deepak,

On Sun, 9 Oct 2022 23:21:25 +0530
Deepak R Varma <drv@mailo.com> wrote:

> Hello,
> I am natively running 5.15.0-48-generic on my HP Laptop with Secure boot on. I
> tried to follow the Kernel First patch tutorial steps and managed to build
> Kernel release 6.0.0rc4.

Somewhat unrelated: in a past Outreachy round, we did a bit of work on
a tool with the idea of making these steps easier. It's not mentioned
in the tutorial, as we didn't have time to polish it up completely, but
maybe you want to give it a try. Basic usage demo and source at:

  https://mbuto.sh

I'm not mentoring for this round, so I'm just throwing this around
without claiming any responsibility. :)

About the specific issue you're hitting, I don't have any pointer other
than what Julia already shared.

> There were issues during the module building associated
> with the certificates / signing of the modules. I got those supressed by
> emptying the following two config parameters as copied over from the native
> config file:
> 
> CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"
> CONFIG_SYSTEM_REVOCATION_KEYS="debian/canonical-revoked-certs.pem"
> 
> set to new value
> 
> CONFIG_SYSTEM_TRUSTED_KEYS=""
> CONFIG_SYSTEM_REVOCATION_KEYS=""
> 
> The build was successful, however, I am unable to boot into my new kernel and
> have received following errors:
> 
> error: bad shim signature
> Loading initial ramdisk
> error: you need to load the kernel first
> 
> I tried to seek from net, but did not find any workable resolution. Can you
> please suggested how can I correct this error or if I missed any steps?
> 
> Thank you,
> Deepak.

-- 
Stefano

Re: trouble booting into staging kernel

[Deepak R Varma]

On Mon, Oct 10, 2022 at 12:54:27PM +0200, Stefano Brivio wrote:
> Hi Deepak,
>
> On Sun, 9 Oct 2022 23:21:25 +0530
> Deepak R Varma <drv@mailo.com> wrote:
>
> > Hello,
> > I am natively running 5.15.0-48-generic on my HP Laptop with Secure boot on. I
> > tried to follow the Kernel First patch tutorial steps and managed to build
> > Kernel release 6.0.0rc4.
>
> Somewhat unrelated: in a past Outreachy round, we did a bit of work on
> a tool with the idea of making these steps easier. It's not mentioned
> in the tutorial, as we didn't have time to polish it up completely, but
> maybe you want to give it a try. Basic usage demo and source at:
>
>   https://mbuto.sh

Hello Stefano,
I will definitely explore this tool and attempt to utilize it if I can. Thank
you very much for sharing the details.

>
> I'm not mentoring for this round, so I'm just throwing this around
> without claiming any responsibility. :)

No problem. I am sure the tool will be a new learning.

>
> About the specific issue you're hitting, I don't have any pointer other
> than what Julia already shared.
Okay. I am working on the link shared by Julia and would share the outcome soon.

Thank you all.

./drv

>
> > There were issues during the module building associated
> > with the certificates / signing of the modules. I got those supressed by
> > emptying the following two config parameters as copied over from the native
> > config file:
> >
> > CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"
> > CONFIG_SYSTEM_REVOCATION_KEYS="debian/canonical-revoked-certs.pem"
> >
> > set to new value
> >
> > CONFIG_SYSTEM_TRUSTED_KEYS=""
> > CONFIG_SYSTEM_REVOCATION_KEYS=""
> >
> > The build was successful, however, I am unable to boot into my new kernel and
> > have received following errors:
> >
> > error: bad shim signature
> > Loading initial ramdisk
> > error: you need to load the kernel first
> >
> > I tried to seek from net, but did not find any workable resolution. Can you
> > please suggested how can I correct this error or if I missed any steps?
> >
> > Thank you,
> > Deepak.
>
> --
> Stefano
>
>

Re: trouble booting into staging kernel

[Deepak R Varma]

On Mon, Oct 10, 2022 at 01:25:56AM +0530, Deepak R Varma wrote:
> On Sun, Oct 09, 2022 at 09:12:37PM +0200, Julia Lawall wrote:
> >
> >
> > On Mon, 10 Oct 2022, Deepak R Varma wrote:
> >
> > > On Sun, Oct 09, 2022 at 07:56:51PM +0200, Julia Lawall wrote:
> > > >
> > > >
> > > > On Sun, 9 Oct 2022, Deepak R Varma wrote:
> > > >
> > > > > Hello,
> > > > > I am natively running 5.15.0-48-generic on my HP Laptop with Secure boot on. I
> > > > > tried to follow the Kernel First patch tutorial steps and managed to build
> > > > > Kernel release 6.0.0rc4. There were issues during the module building associated
> > > > > with the certificates / signing of the modules. I got those supressed by
> > > > > emptying the following two config parameters as copied over from the native
> > > > > config file:
> > > > >
> > > > > CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"
> > > > > CONFIG_SYSTEM_REVOCATION_KEYS="debian/canonical-revoked-certs.pem"
> > > > >
> > > > > set to new value
> > > > >
> > > > > CONFIG_SYSTEM_TRUSTED_KEYS=""
> > > > > CONFIG_SYSTEM_REVOCATION_KEYS=""
> > > > >
> > > > > The build was successful, however, I am unable to boot into my new kernel and
> > > > > have received following errors:
> > > > >
> > > > > error: bad shim signature
> > > > > Loading initial ramdisk
> > > > > error: you need to load the kernel first
> > > > >
> > > > > I tried to seek from net, but did not find any workable resolution. Can you
> > > > > please suggested how can I correct this error or if I missed any steps?
> > > >
> > > > Maybe you have to remove secure boot?  I have the impression that I did
> > > > that on one of my machines, but I don't have that machine in front of me.
> > >
> > > Thank you for the quick response. I did try disabling the secure boot option and
> > > also cleared the certificate DB. Tried a few combinations of these options.
> > > Unfortunately, nothing helped so far.
> >
> > Did you try what is described here?
> >
> > https://unix.stackexchange.com/questions/701612/cant-load-self-signed-kernel-with-secure-boot-on-bad-shim-signature
>
> I am planning to do the following from this link next. I will let you know how
> it goes.

Hi Julia,
I realized that working with the certificates is very complex. I also encountered
additional issues during module building step. It's looking good now. I was able
to get past the module singing issues during the installation steps using this [1]
link. However, I am now unable to load the kernel image since it is not signed.
I am going to attempt to sign the image and also add the certificate to the db.
Hopefully that will be the last step before I can proceed to sharing my first
patch.

[1]: https://github.com/andikleen/simple-pt/issues/8

Thank you,
./drv

>
> Create your own secureboot signing certificate without such an EKU, enroll it into either mok or db, and use it for signing.
>
> Thank you,
> ./drv
>
> >
> > julia
> >
> > >
> > > Let me know if I should share any of the files / logs from my system for your
> > > review.
> > >
> > > >
> > > > Welcome, by the way :)
> > >
> > > Thank you Julia. Pleased to be part of this internship challenge.
> > >
> > > ./drv
> > >
> > > >
> > > > julia
> > >
> > >
> > >
> >
>
>
>

Re: trouble booting into staging kernel

[Julia Lawall]

On Thu, 13 Oct 2022, Deepak R Varma wrote:

> On Mon, Oct 10, 2022 at 01:25:56AM +0530, Deepak R Varma wrote:
> > On Sun, Oct 09, 2022 at 09:12:37PM +0200, Julia Lawall wrote:
> > >
> > >
> > > On Mon, 10 Oct 2022, Deepak R Varma wrote:
> > >
> > > > On Sun, Oct 09, 2022 at 07:56:51PM +0200, Julia Lawall wrote:
> > > > >
> > > > >
> > > > > On Sun, 9 Oct 2022, Deepak R Varma wrote:
> > > > >
> > > > > > Hello,
> > > > > > I am natively running 5.15.0-48-generic on my HP Laptop with Secure boot on. I
> > > > > > tried to follow the Kernel First patch tutorial steps and managed to build
> > > > > > Kernel release 6.0.0rc4. There were issues during the module building associated
> > > > > > with the certificates / signing of the modules. I got those supressed by
> > > > > > emptying the following two config parameters as copied over from the native
> > > > > > config file:
> > > > > >
> > > > > > CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"
> > > > > > CONFIG_SYSTEM_REVOCATION_KEYS="debian/canonical-revoked-certs.pem"
> > > > > >
> > > > > > set to new value
> > > > > >
> > > > > > CONFIG_SYSTEM_TRUSTED_KEYS=""
> > > > > > CONFIG_SYSTEM_REVOCATION_KEYS=""
> > > > > >
> > > > > > The build was successful, however, I am unable to boot into my new kernel and
> > > > > > have received following errors:
> > > > > >
> > > > > > error: bad shim signature
> > > > > > Loading initial ramdisk
> > > > > > error: you need to load the kernel first
> > > > > >
> > > > > > I tried to seek from net, but did not find any workable resolution. Can you
> > > > > > please suggested how can I correct this error or if I missed any steps?
> > > > >
> > > > > Maybe you have to remove secure boot?  I have the impression that I did
> > > > > that on one of my machines, but I don't have that machine in front of me.
> > > >
> > > > Thank you for the quick response. I did try disabling the secure boot option and
> > > > also cleared the certificate DB. Tried a few combinations of these options.
> > > > Unfortunately, nothing helped so far.
> > >
> > > Did you try what is described here?
> > >
> > > https://unix.stackexchange.com/questions/701612/cant-load-self-signed-kernel-with-secure-boot-on-bad-shim-signature
> >
> > I am planning to do the following from this link next. I will let you know how
> > it goes.
>
> Hi Julia,
> I realized that working with the certificates is very complex. I also encountered
> additional issues during module building step. It's looking good now. I was able
> to get past the module singing issues during the installation steps using this [1]
> link. However, I am now unable to load the kernel image since it is not signed.
> I am going to attempt to sign the image and also add the certificate to the db.
> Hopefully that will be the last step before I can proceed to sharing my first
> patch.
>
> [1]: https://github.com/andikleen/simple-pt/issues/8

Maybe it would be worth retrying the option of disabling secure boot?

julia

>
> Thank you,
> ./drv
>
> >
> > Create your own secureboot signing certificate without such an EKU, enroll it into either mok or db, and use it for signing.
> >
> > Thank you,
> > ./drv
> >
> > >
> > > julia
> > >
> > > >
> > > > Let me know if I should share any of the files / logs from my system for your
> > > > review.
> > > >
> > > > >
> > > > > Welcome, by the way :)
> > > >
> > > > Thank you Julia. Pleased to be part of this internship challenge.
> > > >
> > > > ./drv
> > > >
> > > > >
> > > > > julia
> > > >
> > > >
> > > >
> > >
> >
> >
> >
>
>
>

Re: trouble booting into staging kernel

[Deepak R Varma]

On Thu, Oct 13, 2022 at 07:21:55AM +0200, Julia Lawall wrote:
>
>
> On Thu, 13 Oct 2022, Deepak R Varma wrote:
>
> > On Mon, Oct 10, 2022 at 01:25:56AM +0530, Deepak R Varma wrote:
> > > On Sun, Oct 09, 2022 at 09:12:37PM +0200, Julia Lawall wrote:
> > > >
> > > >
> > > > On Mon, 10 Oct 2022, Deepak R Varma wrote:
> > > >
> > > > > On Sun, Oct 09, 2022 at 07:56:51PM +0200, Julia Lawall wrote:
> > > > > >
> > > > > >
> > > > > > On Sun, 9 Oct 2022, Deepak R Varma wrote:
> > > > > >
> > > > > > > Hello,
> > > > > > > I am natively running 5.15.0-48-generic on my HP Laptop with Secure boot on. I
> > > > > > > tried to follow the Kernel First patch tutorial steps and managed to build
> > > > > > > Kernel release 6.0.0rc4. There were issues during the module building associated
> > > > > > > with the certificates / signing of the modules. I got those supressed by
> > > > > > > emptying the following two config parameters as copied over from the native
> > > > > > > config file:
> > > > > > >
> > > > > > > CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"
> > > > > > > CONFIG_SYSTEM_REVOCATION_KEYS="debian/canonical-revoked-certs.pem"
> > > > > > >
> > > > > > > set to new value
> > > > > > >
> > > > > > > CONFIG_SYSTEM_TRUSTED_KEYS=""
> > > > > > > CONFIG_SYSTEM_REVOCATION_KEYS=""
> > > > > > >
> > > > > > > The build was successful, however, I am unable to boot into my new kernel and
> > > > > > > have received following errors:
> > > > > > >
> > > > > > > error: bad shim signature
> > > > > > > Loading initial ramdisk
> > > > > > > error: you need to load the kernel first
> > > > > > >
> > > > > > > I tried to seek from net, but did not find any workable resolution. Can you
> > > > > > > please suggested how can I correct this error or if I missed any steps?
> > > > > >
> > > > > > Maybe you have to remove secure boot?  I have the impression that I did
> > > > > > that on one of my machines, but I don't have that machine in front of me.
> > > > >
> > > > > Thank you for the quick response. I did try disabling the secure boot option and
> > > > > also cleared the certificate DB. Tried a few combinations of these options.
> > > > > Unfortunately, nothing helped so far.
> > > >
> > > > Did you try what is described here?
> > > >
> > > > https://unix.stackexchange.com/questions/701612/cant-load-self-signed-kernel-with-secure-boot-on-bad-shim-signature
> > >
> > > I am planning to do the following from this link next. I will let you know how
> > > it goes.
> >
> > Hi Julia,
> > I realized that working with the certificates is very complex. I also encountered
> > additional issues during module building step. It's looking good now. I was able
> > to get past the module singing issues during the installation steps using this [1]
> > link. However, I am now unable to load the kernel image since it is not signed.
> > I am going to attempt to sign the image and also add the certificate to the db.
> > Hopefully that will be the last step before I can proceed to sharing my first
> > patch.
> >
> > [1]: https://github.com/andikleen/simple-pt/issues/8
>
> Maybe it would be worth retrying the option of disabling secure boot?

Tried that already. Received following error:
	Loading Linux 6.0.0dvkern ...
	Loading initial ramdisk ...
	error: out of memory.

	Press any key to continue...

Pressing a key takes me back to the grub menu; waiting results in a blacklist
kernel panic with the same error reported by the other applicant a earlier today
	Kernel panic - not syncing: VFS: Unable to mount root fs on
	unknown-block

I am setting up a fresh ubuntu instance with secureboot off and make another
start.

Thank you.
./drv


>
> julia
>
> >
> > Thank you,
> > ./drv
> >
> > >
> > > Create your own secureboot signing certificate without such an EKU, enroll it into either mok or db, and use it for signing.
> > >
> > > Thank you,
> > > ./drv
> > >
> > > >
> > > > julia
> > > >
> > > > >
> > > > > Let me know if I should share any of the files / logs from my system for your
> > > > > review.
> > > > >
> > > > > >
> > > > > > Welcome, by the way :)
> > > > >
> > > > > Thank you Julia. Pleased to be part of this internship challenge.
> > > > >
> > > > > ./drv
> > > > >
> > > > > >
> > > > > > julia
> > > > >
> > > > >
> > > > >
> > > >
> > >
> > >
> > >
> >
> >
> >
>

Re: trouble booting into staging kernel

[Deepak R Varma]

On Thu, Oct 13, 2022 at 02:14:38PM +0530, Deepak R Varma wrote:
> On Thu, Oct 13, 2022 at 07:21:55AM +0200, Julia Lawall wrote:
> >
> >
> > On Thu, 13 Oct 2022, Deepak R Varma wrote:
> >
> > > On Mon, Oct 10, 2022 at 01:25:56AM +0530, Deepak R Varma wrote:
> > > > On Sun, Oct 09, 2022 at 09:12:37PM +0200, Julia Lawall wrote:
> > > > >
> > > > >
> > > > > On Mon, 10 Oct 2022, Deepak R Varma wrote:
> > > > >
> > > > > > On Sun, Oct 09, 2022 at 07:56:51PM +0200, Julia Lawall wrote:
> > > > > > >
> > > > > > >
> > > > > > > On Sun, 9 Oct 2022, Deepak R Varma wrote:
> > > > > > >
> > > > > > > > Hello,
> > > > > > > > I am natively running 5.15.0-48-generic on my HP Laptop with Secure boot on. I
> > > > > > > > tried to follow the Kernel First patch tutorial steps and managed to build
> > > > > > > > Kernel release 6.0.0rc4. There were issues during the module building associated
> > > > > > > > with the certificates / signing of the modules. I got those supressed by
> > > > > > > > emptying the following two config parameters as copied over from the native
> > > > > > > > config file:
> > > > > > > >
> > > > > > > > CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"
> > > > > > > > CONFIG_SYSTEM_REVOCATION_KEYS="debian/canonical-revoked-certs.pem"
> > > > > > > >
> > > > > > > > set to new value
> > > > > > > >
> > > > > > > > CONFIG_SYSTEM_TRUSTED_KEYS=""
> > > > > > > > CONFIG_SYSTEM_REVOCATION_KEYS=""
> > > > > > > >
> > > > > > > > The build was successful, however, I am unable to boot into my new kernel and
> > > > > > > > have received following errors:
> > > > > > > >
> > > > > > > > error: bad shim signature
> > > > > > > > Loading initial ramdisk
> > > > > > > > error: you need to load the kernel first
> > > > > > > >
> > > > > > > > I tried to seek from net, but did not find any workable resolution. Can you
> > > > > > > > please suggested how can I correct this error or if I missed any steps?
> > > > > > >
> > > > > > > Maybe you have to remove secure boot?  I have the impression that I did
> > > > > > > that on one of my machines, but I don't have that machine in front of me.
> > > > > >
> > > > > > Thank you for the quick response. I did try disabling the secure boot option and
> > > > > > also cleared the certificate DB. Tried a few combinations of these options.
> > > > > > Unfortunately, nothing helped so far.
> > > > >
> > > > > Did you try what is described here?
> > > > >
> > > > > https://unix.stackexchange.com/questions/701612/cant-load-self-signed-kernel-with-secure-boot-on-bad-shim-signature
> > > >
> > > > I am planning to do the following from this link next. I will let you know how
> > > > it goes.
> > >
> > > Hi Julia,
> > > I realized that working with the certificates is very complex. I also encountered
> > > additional issues during module building step. It's looking good now. I was able
> > > to get past the module singing issues during the installation steps using this [1]
> > > link. However, I am now unable to load the kernel image since it is not signed.
> > > I am going to attempt to sign the image and also add the certificate to the db.
> > > Hopefully that will be the last step before I can proceed to sharing my first
> > > patch.
> > >
> > > [1]: https://github.com/andikleen/simple-pt/issues/8
> >
> > Maybe it would be worth retrying the option of disabling secure boot?
>
> Tried that already. Received following error:
> 	Loading Linux 6.0.0dvkern ...
> 	Loading initial ramdisk ...
> 	error: out of memory.
>
> 	Press any key to continue...
>
> Pressing a key takes me back to the grub menu; waiting results in a blacklist
> kernel panic with the same error reported by the other applicant a earlier today
> 	Kernel panic - not syncing: VFS: Unable to mount root fs on
> 	unknown-block
>
> I am setting up a fresh ubuntu instance with secureboot off and make another
> start.

This has not worked either. I am stuck now with inability to load my new 6.0.0
kernel release. Please suggest how to move forward.

Thank you.
./drv

>
> Thank you.
> ./drv
>
>
> >
> > julia
> >
> > >
> > > Thank you,
> > > ./drv
> > >
> > > >
> > > > Create your own secureboot signing certificate without such an EKU, enroll it into either mok or db, and use it for signing.
> > > >
> > > > Thank you,
> > > > ./drv
> > > >
> > > > >
> > > > > julia
> > > > >
> > > > > >
> > > > > > Let me know if I should share any of the files / logs from my system for your
> > > > > > review.
> > > > > >
> > > > > > >
> > > > > > > Welcome, by the way :)
> > > > > >
> > > > > > Thank you Julia. Pleased to be part of this internship challenge.
> > > > > >
> > > > > > ./drv
> > > > > >
> > > > > > >
> > > > > > > julia
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > >
> > > >
> > > >
> > >
> > >
> > >
> >
>
>
>

Re: trouble booting into staging kernel

[Fabio M. De Francesco]

On Wednesday, October 12, 2022 10:22:06 PM CEST Deepak R Varma wrote:
> On Mon, Oct 10, 2022 at 01:25:56AM +0530, Deepak R Varma wrote:
> > On Sun, Oct 09, 2022 at 09:12:37PM +0200, Julia Lawall wrote:

[snip]
,
> I realized that working with the certificates is very complex. 

I entirely agree with you :-)

> > Create your own secure boot signing certificate without such an EKU, enroll 
it into either mok or db, and use it for signing.

Time ago the following documents from openSUSE finally helped me to understand 
how secure boot works and how to create and add my keys to boot custom kernels 
and modules:

https://en.opensuse.org/openSUSE:UEFI
https://doc.opensuse.org/documentation/leap/reference/html/book-reference/cha-uefi.html

After some time I realized that I don't need secure boot enabled when I boot 
my kernels and modules on several QEMU/KVM VMs (the guests) for testing 
patches. It's easier, faster, and I avoid the risk to hang or bring down the 
host, or worst, to corrupt the filesystems in the partitions of the "real" 
machine (the host) (these days my tasks are related to converting call sites 
which still uses old memory management API across the whole kernel, especially 
in file systems code).

This way I still have an host always booting with secure boot, and several 
VMs for testing patches for various archs (32 and 64 bits virtual machines).

I'd suggest to not disable secure boot in your host, since it's really useful 
for whoever cares security. Instead you should run custom kernels in VMs and 
just disable secure boot in guests.

Regards,

Fabio

Re: trouble booting into staging kernel

[Deepak R Varma]

On Thu, Oct 13, 2022 at 04:59:38PM +0200, Fabio M. De Francesco wrote:
> On Wednesday, October 12, 2022 10:22:06 PM CEST Deepak R Varma wrote:
> > On Mon, Oct 10, 2022 at 01:25:56AM +0530, Deepak R Varma wrote:
> > > On Sun, Oct 09, 2022 at 09:12:37PM +0200, Julia Lawall wrote:
>
> [snip]
> ,
> > I realized that working with the certificates is very complex.
>
> I entirely agree with you :-)
>
> > > Create your own secure boot signing certificate without such an EKU, enroll
> it into either mok or db, and use it for signing.
>
> Time ago the following documents from openSUSE finally helped me to understand
> how secure boot works and how to create and add my keys to boot custom kernels
> and modules:
>
> https://en.opensuse.org/openSUSE:UEFI
> https://doc.opensuse.org/documentation/leap/reference/html/book-reference/cha-uefi.html

Hello Fabio,
Thank you for the guidance and sharing the openSUSE doc links. I will read the
information available here. However, your following suggestion of taking the VM
route sounds better considering the internship timelines. I will do this first
and then revisit the openSUSE docs alongside/later.

Thanks much,
./drv
>
> After some time I realized that I don't need secure boot enabled when I boot
> my kernels and modules on several QEMU/KVM VMs (the guests) for testing
> patches. It's easier, faster, and I avoid the risk to hang or bring down the
> host, or worst, to corrupt the filesystems in the partitions of the "real"
> machine (the host) (these days my tasks are related to converting call sites
> which still uses old memory management API across the whole kernel, especially
> in file systems code).
>
> This way I still have an host always booting with secure boot, and several
> VMs for testing patches for various archs (32 and 64 bits virtual machines).
>
> I'd suggest to not disable secure boot in your host, since it's really useful
> for whoever cares security. Instead you should run custom kernels in VMs and
> just disable secure boot in guests.
>
> Regards,
>
> Fabio
>
>
>
>
>

Re: trouble booting into staging kernel

[Deepak R Varma]

On Thu, Oct 13, 2022 at 10:08:49PM +0530, Deepak R Varma wrote:
> On Thu, Oct 13, 2022 at 04:59:38PM +0200, Fabio M. De Francesco wrote:
> > On Wednesday, October 12, 2022 10:22:06 PM CEST Deepak R Varma wrote:
> > > On Mon, Oct 10, 2022 at 01:25:56AM +0530, Deepak R Varma wrote:
> > > > On Sun, Oct 09, 2022 at 09:12:37PM +0200, Julia Lawall wrote:
> >
> > [snip]
> > ,
> > > I realized that working with the certificates is very complex.
> >
> > I entirely agree with you :-)
> >
> > > > Create your own secure boot signing certificate without such an EKU, enroll
> > it into either mok or db, and use it for signing.
> >
> > Time ago the following documents from openSUSE finally helped me to understand
> > how secure boot works and how to create and add my keys to boot custom kernels
> > and modules:
> >
> > https://en.opensuse.org/openSUSE:UEFI
> > https://doc.opensuse.org/documentation/leap/reference/html/book-reference/cha-uefi.html
>
> Hello Fabio,
> Thank you for the guidance and sharing the openSUSE doc links. I will read the
> information available here. However, your following suggestion of taking the VM
> route sounds better considering the internship timelines. I will do this first
> and then revisit the openSUSE docs alongside/later.

Hello Fabio,
I was able to set up VMPlayer accoring to the instructions, build my kernel
release and submit my first patch. Thank you very much for the guidance and
helping me move forward.

I did attempt the openSUSE docs you shared and they were indeed very helpful. I
will attempt to follow the instruction on a separate machine and when I have
some time.

Thanks again.
./drv

>
> Thanks much,
> ./drv
> >
> > After some time I realized that I don't need secure boot enabled when I boot
> > my kernels and modules on several QEMU/KVM VMs (the guests) for testing
> > patches. It's easier, faster, and I avoid the risk to hang or bring down the
> > host, or worst, to corrupt the filesystems in the partitions of the "real"
> > machine (the host) (these days my tasks are related to converting call sites
> > which still uses old memory management API across the whole kernel, especially
> > in file systems code).
> >
> > This way I still have an host always booting with secure boot, and several
> > VMs for testing patches for various archs (32 and 64 bits virtual machines).
> >
> > I'd suggest to not disable secure boot in your host, since it's really useful
> > for whoever cares security. Instead you should run custom kernels in VMs and
> > just disable secure boot in guests.
> >
> > Regards,
> >
> > Fabio
> >
> >
> >
> >
> >
>
>
>