Re: "Invalid signature" issue on dev kernel launch

From: Gidi Gal <gidi.gal.linux@gmail.com>
To: Aruna Hewapathirane <aruna.hewapathirane@gmail.com>,
	valdis.kletnieks@vt.edu, kernelnewbies@kernelnewbies.org
Subject: Re: "Invalid signature" issue on dev kernel launch
Date: Wed, 24 Mar 2021 15:12:11 +0200	[thread overview]
Message-ID: <CAB+0Vomjo9LHvdQY9gfK0uQ5F8=KUp9vWqMczzQ4x52a_-YHJg@mail.gmail.com> (raw)
In-Reply-To: <CAFSeFg_hPVRfOAtb7mRqCufEbR8COeJBW1hryTWad5geKtM3eQ@mail.gmail.com>

[-- Attachment #1.1: Type: text/plain, Size: 4419 bytes --]

>
> From your build.log I see you compiled that kernel 6 times:
>

Yep,  tried all sorts of things that did not work with the signature issue.
I assume there's much shorter process for re-signing built kernel without
going through
a complete build again ?  If you have time, I will be grateful for some
pointers on the subject.

> I am curious are you using linux mint or Debian ?

I am using Linux Mint. As a beginner, I took web advice to install Linux
Mint.

> knowledge on this subject), I am now facing "invalid signature" error when
> > I reboot with my installed dev kernel.
>
> When/where exactly are you getting that error? There's three major
> places where things can go wrong:
>
> 1) If you're using secure boot, and the grub2 stuff isn't signed by
> a certificate your BIOS/EFI knows about.
>
> 2) If you're using secure boot, and the kernel itself isn't signed by
> a certificate that grub2 knows about.
>
> 3) If your kernel config says modules have to be signed, and a module
> isn't properly signed with a certificate that your kernel knows about.
>
>
The message is displayed at boot time. Since I am forced to replace kernel,
I cannot see this error message in 'dmesg | less', probably because it
refers to the last boot ? So I don't know how to gather more info about the
exact entity that launched this error.

Is there any tool that can test signed kernel to confirm the signature is
valid, and if not, to provide clearer information on what is wrong with the
signature ?

For now I will work with disabled secure boot, as Aruna proposed. I'll be
happy to find a way to fix this issue, though.

Thanks,
Gidi

On Wed, Mar 24, 2021 at 4:36 AM Aruna Hewapathirane <
aruna.hewapathirane@gmail.com> wrote:

>
>
> On Tue, Mar 23, 2021 at 12:37 PM Gidi Gal <gidi.gal.linux@gmail.com>
> wrote:
>
>> Greetings,
>>
>> After receiving a lot of information regarding my query on how to switch
>> from installed to dev kernel (thank you to all the people that shared their
>> knowledge on this subject), I am now facing "invalid signature" error when
>> I reboot with my installed dev kernel. I shared the logs for the build,
>> install and also .config and x509.genkey in the following link
>> <https://drive.google.com/drive/folders/1mVUzrF_5MM4H1x0bLacprvkrXaKtFm6V?usp=sharing>
>> .
>> Please let me know what additional information can help to solve this
>> issue.
>>
>> I am following the instructions in https://kernelnewbies.org/FirstKernelPatch
>>
>> and I am at the step where I am supposed to verify that a printout was
>> added to the log after I reboot my dev kernel.
>>
>> Thanks,
>> Gidi
>>
>
> Gidi,
>
> From your build.log I see you compiled that kernel 6 times:
> Kernel: arch/x86/boot/bzImage is ready  (#6)
>
> And the install log tells me:
> Sourcing file `/etc/default/grub'
> Sourcing file `/etc/default/grub.d/50_linuxmint.cfg'
> Sourcing file `/etc/default/grub.d/init-select.cfg'
>
> I am curious are you using linux mint or Debian ?
>
> I also see:
> CC      drivers/cpufreq/cpufreq_ondemand.o
> drivers/cpufreq/cpufreq_ondemand.c: In function ‘od_set_powersave_bias’:
> drivers/cpufreq/cpufreq_ondemand.c:446:1: warning: the frame size of 1032
> bytes is larger than 1024 bytes [-Wframe-larger-than=]
>   446 | }
>       | ^
> This is what causes the compile time errors with possible missing firmware
> :-)
>
> and all the kernels you have you can boot into by selecting 'Advanced
> options' in the grub menu then
> choosing the kernel you wish to use.
>
> Sourcing file `/etc/default/grub'
> Sourcing file `/etc/default/grub.d/50_linuxmint.cfg'
> Sourcing file `/etc/default/grub.d/init-select.cfg'
> Generating grub configuration file ...
> Found linux image: /boot/vmlinuz-5.12.0-rc3-GIDI-DEV+
> Found initrd image: /boot/initrd.img-5.12.0-rc3-GIDI-DEV+
> Found linux image: /boot/vmlinuz-5.12.0-rc3-GIDI-DEV+.old
> Found initrd image: /boot/initrd.img-5.12.0-rc3-GIDI-DEV+
> Found linux image: /boot/vmlinuz-5.4.0-64-generic
> Found initrd image: /boot/initrd.img-5.4.0-64-generic
> Found linux image: /boot/vmlinuz-5.4.0-58-generic
> Found initrd image: /boot/initrd.img-5.4.0-58-generic
> Adding boot menu entry for UEFI Firmware Settings
>
> Disabling secure boot should make your invalid signature error go away.
>
> Hope this helps - Aruna
>
>

[-- Attachment #1.2: Type: text/html, Size: 6176 bytes --]

[-- Attachment #2: Type: text/plain, Size: 170 bytes --]

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies