Kernel Signature

All Gurus once were Newbies
Forum rules
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Please stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions prefer the other forums within the support section.
Before you post please read how to get help
Post Reply
asway
Level 1
Level 1
Posts: 4
Joined: Sun Jun 07, 2020 12:55 pm

Kernel Signature

Post by asway »

Hello,
I have a computer with Windows 10.
I turned the secure boot off in bios (UEFI) setting and installed LMDE 4 and then LM 19 installed. Later I updated to LM 20.
I turned the secure boot back to on accidentally.
On the grub menu I can boot into windows 10 and LM 20 with no problem.
I could not boot into LMDE 4. It gave me a message stating that
" error: /boot/vmlinuz-4.19.0-9-amd64 has invalid signature.
error: you need to load the kernel first."
I know that the problem is the secure boot preventing from loading the LMDE4 kernel. I went back to the bios setting and changed the secure boot to off.
After that I can boot into LMDE 4.
It appears that LM 20 kernel has a valid signature for the secure boot.

My question being - is there anyway to make the LMDE4 kernel that can be loaded under the secure boot condition like LM 20 kernel.
Last edited by MrEen on Thu Aug 13, 2020 6:37 pm, edited 1 time in total.
Reason: Topic moved to LMDE section as it's about the LMDE kernel
Andrew Sway
User avatar
antikythera
Level 9
Level 9
Posts: 2746
Joined: Thu Jul 02, 2020 12:52 pm

Re: Kernel Signature

Post by antikythera »

Well given secureboot is about as effective as a chocolate fireguard you may as well disable it again.

https://www.debian.org/security/2020-GR ... ecureBoot/

You can add a MOK for Debian kernels but it's really not worth the hassle.

https://wiki.debian.org/SecureBoot
Don't take life so seriously, nobody gets out alive anyway!
AMSTRAD CPC6128 - 128KB RAM, 3" Hitachi Floppy Diskette Drive, External Sony Cassette Recorder, Locomotive BASIC 1.1, CTM-644 Monitor
jwiz
Level 3
Level 3
Posts: 151
Joined: Tue Dec 20, 2016 6:59 am

Re: Kernel Signature

Post by jwiz »

Sorry, but this is utterly the wrong approach.
Secure Boot is here to stay and Debian users better learn how to deal with it, even if they are under the impression that it is a Microsoft stranglehold.
User avatar
antikythera
Level 9
Level 9
Posts: 2746
Joined: Thu Jul 02, 2020 12:52 pm

Re: Kernel Signature

Post by antikythera »

I know HOW to use it, I just choose not to even with Windows. My choice is an informed one, I know the benefits and risks of either option. I also provided a link to the instructions so it's up to the original poster what they want to do.

I am not overly concerned about my machines being compromised by secureboot being turned off any more than I was with SPECTRE or Meltdown. I have a common sense approach and keep my machines up to date and have a very robust hardware firewall appliance that is also regularly updated and do not visit dodgy sites on the internet, download torrents other than distribution ISO or to share LibreOffice or use the dark web. I never open email attachments I am not expecting. I have automatic downloads turned off in my browsers and prompt for where to save files.

The chances of such an attack on my machines are virtually zero.

Additionally, it is not just Debian users who may not be using secureboot either through user choice or simply because their distribution does not support it properly out of the box. A number of Linux distributions do not have a shim and certificate because they didn't pay Microsoft and do not piggyback off canonical's like Mint does. RHEL, Fedora and OpenSUSE do but not many others. Arch and derived distributions do not so you again need to create and rely on a MOK.

GRUB2 has already been patched for the current Boothole threat but it won't be long until another version or similar threat surfaces. Do not rely on secureboot.
Don't take life so seriously, nobody gets out alive anyway!
AMSTRAD CPC6128 - 128KB RAM, 3" Hitachi Floppy Diskette Drive, External Sony Cassette Recorder, Locomotive BASIC 1.1, CTM-644 Monitor
jwiz
Level 3
Level 3
Posts: 151
Joined: Tue Dec 20, 2016 6:59 am

Re: Kernel Signature

Post by jwiz »

antikythera wrote:
Fri Aug 14, 2020 4:15 am
... Do not rely on secureboot.
I'm sure, you know what you are doing and have the expertise to say so, but I cannot condone that, at least until modified to 'Do not *solely* rely on secureboot'.
I am aware that SB has been found to have potholes and has had a shoddy implementation form the start, but that can and has been improved.
Nevertheless, the Debian viewpoint of UEFI (SB) is, that it is a valid security measure against malware at boot time (cf. Debian Secure Boot Wiki).
Even if you and I don't like Microsoft as the certifying authority, someone has to do it still.
You simply shouldn't paint a picture that shows otherwise and dissuade users from utilizing SB without a very specific technical reason for a given environment to do so.
User avatar
antikythera
Level 9
Level 9
Posts: 2746
Joined: Thu Jul 02, 2020 12:52 pm

Re: Kernel Signature

Post by antikythera »

I do not take back my comment and nor will I change it on your say so. It is not for forum members to police what is posted here by others, so please report posts to moderators if you believe there is a problem rather than trying to act like one.

Anyhow since you went there my comment was not irresponsible given what was posted by the OP in the first place, they enabled secureboot by accident.

So they cannot therefore be that bothered about using it either which is why I said they may as well disable it again. It's clearly their own machine and not a work one or they should not have the power to add or remove operating systems or disable secureboot in the first place.

I gave them the information to make an informed choice along with enabling it for Debian if desired and am well aware of what the Debian wiki which they can read for themselves from the link I posted.

It does not change the fact secureboot is full of holes which you admit yourself. So it's validity as a security measure is questionable at best these days. If secureboot is revised in the future then my position and thoughts may change. To be as effective as possible it needs to be used in conjunction with an integrated TPM 2.0 compliant device or above anyway.
Don't take life so seriously, nobody gets out alive anyway!
AMSTRAD CPC6128 - 128KB RAM, 3" Hitachi Floppy Diskette Drive, External Sony Cassette Recorder, Locomotive BASIC 1.1, CTM-644 Monitor
User avatar
Pjotr
Level 22
Level 22
Posts: 15922
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Kernel Signature

Post by Pjotr »

antikythera wrote:
Fri Aug 14, 2020 4:15 am
I know HOW to use it, I just choose not to even with Windows. My choice is an informed one, I know the benefits and risks of either option.
My opinion as well. I always disable Secure Boot as a matter of course. Its predominant intended function is probably to hamper the installation of Linux, thus protecting the market share of Windows.
Tip: 10 things to do after installing Linux Mint 20 Ulyana
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
User avatar
antikythera
Level 9
Level 9
Posts: 2746
Joined: Thu Jul 02, 2020 12:52 pm

Re: Kernel Signature

Post by antikythera »

Kind of related, signatures for files and drivers have been vulnerable to spoofing for the last 2 years and the threat has been leveraged. You really couldn't make this kind of incompetence up :shock:

https://news.softpedia.com/news/microso ... 0826.shtml
Don't take life so seriously, nobody gets out alive anyway!
AMSTRAD CPC6128 - 128KB RAM, 3" Hitachi Floppy Diskette Drive, External Sony Cassette Recorder, Locomotive BASIC 1.1, CTM-644 Monitor
Post Reply

Return to “Newbie Questions”