How to install Xanmod (or other custom kernels) whilst keeping Secure Boot enabled

Write tutorials for Linux Mint here
More tutorials on https://github.com/orgs/linuxmint/discu ... /tutorials and (archive) on https://community.linuxmint.com/tutorial
Forum rules
Don't add support questions to tutorials; start your own topic in the appropriate sub-forum instead. Before you post read forum rules
Post Reply
Crigence
Level 1
Level 1
Posts: 5
Joined: Tue Mar 19, 2024 11:55 pm

How to install Xanmod (or other custom kernels) whilst keeping Secure Boot enabled

Post by Crigence »

Before I can say anything, I have to preface with some things:
  1. I am a Linux newbie. I switched from Windows 10 to Linux Mint about a month ago, and I haven't looked back since. On the plus side, this means I know better how to explain something to fellow new users, but this also means I may not be the best person to be giving a guide, however:
  2. This isn't intended to be as much of a 'guide' as it is to be a detailed breakdown of how I got Xanmod working with Linux Mint Cinnamon Edition 21.3 on my computer, and as such some steps will likely vary wildly for you. Chances are though that if you are trying to install a custom kernel, you probably also consider yourself to be adept with a computer, so I'm gonna hope that won't be an issue.
  3. Even during my research, I saw many users advise against the installation of custom kernels *and* for the disabling of secure boot, as the default Linux kernel is the one Mint was specifically designed to use, and secure boot's implementation varies from manufacturer-to-manufacturer, and as such it can cause issues on a case-by-case basis. I personally don't care and am willing to deal with such issues as they come in the interest of possibly better performance, and I'm assuming that you think the same.
  4. To elaborate on manufacturers and intuiting: My motherboard is an ASRock A320M. If you have the same motherboard, great. If it's not the same model but it's from ASRock, the same instructions will more-than-likely apply. If it's neither, than I can't personally help you and you'll have to just translate the instructions yourself, assuming you're following this as a guide
  5. This post includes a lot of jokes. I didn't go in intending for it to be humorous, it just flowed naturally. I'm keeping it in because my time installing figuring this out was miserable, and I'm assuming yours was/is too, so why not lighten the mood?
  6. Oh, and as is the trend with me: I'm not completely sure if this is the correct category to be posting this, but nobody's corrected me yet, so if I'm correct again this makes me 3/3.

To provide some *very* brief background: Xanmod is:
-a general-purpose Linux kernel distribution with custom settings and new features. Built to provide a stable, smooth and solid system experience.
From what I've seen. it's primarily used by Linux gamers and other people who are trying to squeeze as much performance out of their computers as possible. In my experience as an NVIDIA GPU user, even in the brief time I've been actually using it, I have actually noticed a sharp increase in the speed of my computer. Things simply load faster, and things do feel smoother, so there's definite advantages to using it. As for secure boot, it is (by my understanding) a security feature that protects your computer by checking the 'cryptographic signatures' of software with its own built-in and approved database. This prevents bad things such as rootkits (that's good), but also makes installing good things like custom Linux kernels a pain in the neck (that's bad), since those are probably not included in that database. If you need a background on Linux Mint, I'd recommend clicking off this thread and taking your pills.

If you're following this as a guide, here's what I'm assuming you have:
  1. A computer
  2. Electricity
  3. An internet connection (unless somebody inscribed my words onto a bathroom stall or something)
  4. A UEFI
  5. 2 50 lb. titanium balls
Assuming you have everything above, you're ready to begin the tedious processing of installing Xanmod and getting it to work with secure boot.
  1. This is more of a PSA than anything, but before doing anything, if you have ultra-fast boot in your UEFI options and it is enabled: Turn that off now. At least in my experience, ultra-fast boot doesn't bother loading any of your devices at startup except the devices that came with the computer, so if anything goes wrong at startup, and you lost those devices, you'll be stuck staring at the GNU Grub interface for eternity… or until you do something like resetting your UEFI settings. Either way, just avoid that same headache that I encountered and turn it off.
  2. Check your UEFI to ensure it has similar settings. This can usually be done by holding an 'F#' key as the computer's booting or something similar. If it has secure boot, look for an option that says something similar to "Enroll Efi Image." In my case, it was under a sub-menu called "key management." To keep it short, this option allows you to add additional, signed signatures to that database that I mentioned, which is necessary to prevent secure boot from strangling Xanmod to death, and thus prevent your computer from booting. If you check thoroughly and can't find both of these options, then these instructions probably won't apply to you, and you'll have to either find another guide, or disable secure boot if that option is present. Sorry.
  3. Now, first things first, we need to get our copy of Xanmod. You can do this via the instructions under the "APT Repository" section on https://xanmod.org/. I hope you're not allergic to the terminal. Technically, you could also use the "Synpatic Package Manager," but I'm not gonna print instructions that could become out-of-date just for that.
  4. After it's installed, go to the /boot folder. You should now see a file called "vmlinuz-[version crap]-xanmod." This means that the kernel was downloaded, built, and installed successfully. **Do not restart your computer yet.**
  5. Next, you need to open the 'EFI' folder in a new tab by either middle clicking it or using the context menu. The folder's probably going to be locked behind root, and thus will ask you for your password, which you'll have to enter. While we're here, verify that the folders "BOOT" and "ubuntu" are present. Once you can see them, this puts you in an ideal position for the next step.
  6. Return to the non-root tab (which should still be looking at the /boot folder), and copy the file named "vmlinuz-[version crap]-xanmod" to your clipboard by either hitting Ctrl+C or using the context menu. Then, return to the root tab, and paste the file into the "ubuntu" folder.
  7. With that tab still open, open the "ubuntu" folder that we just pasted into, find the newly pasted file and add a ".efi" to the end of its name [I don't know why it wasn't there to begin with]. This step may not be necessary, but it ensures that the computer will recognize it was a .efi file.
  8. Finally, we can restart the computer, and re-open the UEFI. Go back to the "Enroll Efi Image" option that was mentioned earlier, and click it. It should open some sort of menu containing that EFI folder that we pasted into earlier. After that, simply find the xanmod efi file in the ubuntu folder, and click it to integrate it. If you need to confirm it, just click 'yes.' That should add it to your UEFI's list of 'signatures,' thus allowing the xanmod kernel to load.
  9. Restart the computer, and verify that Xanmod loaded successfully. If not, then feel free to try step 7 on the other .efi files present in that folder. Though in my experience, even though all of them may not be enrolled, they're not necessary, but if you're still having issues that's the first thing I'd try. If none of this works, then sadly your only options are to either pioneer your own solution or to admit defeat and disable secure boot.
If you successfully loaded into your new Xanmod kernel, then congratulations. What took you potentially less than 10 minutes took me over *3 hours* of digging through convoluted and unhelpful internet resources and "just disable secure boot bro's" to figure out. You're welcome for the help. Or at least, I hope it did, 'cause otherwise I just spent an extra hour typing this for no reason.
Last edited by Crigence on Tue Apr 23, 2024 12:42 am, edited 2 times in total.
User avatar
SMG
Level 25
Level 25
Posts: 32397
Joined: Sun Jul 26, 2020 6:15 pm
Location: USA

Re: How to install Xanmod (or other custom kernels) whilst keeping Secure Boot enabled

Post by SMG »

Crigence wrote: Thu Apr 11, 2024 4:23 amEven during my research, I saw many users advise against the installation of custom kernels ...I personally don't care and am willing to deal with such issues as they come in the interest of possibly better performance, and I'm assuming that you think the same.
This should be at the top and emphasized.

Custom kernels are not signed. That is why they do not work with Secure Boot enabled. You will need to sign every custom kernel you install. If they are not signed, they are not trusted and will not load at boot time.

Kernels which are available in the Linux Mint repositories are already signed which is one advantage to using the kernels that are intended to be used with Linux Mint.
Crigence wrote: Thu Apr 11, 2024 4:23 amTo provide some *very* brief background: Xanmod is:
-a general-purpose Linux kernel distribution with custom settings and new features. Built to provide a stable, smooth and solid system experience.
It adds kernel parameters in addition to having changes within the kernel itself which may or may not work with one's hardware.

I don't see where you mentioned what version of Linux Mint you are using.

Maybe this is something specific to an MSI motherboard that lets you do this because this does not sound like what one normally does to sign a file so it loads at boot time.
Image
A woman typing on a laptop with LM20.3 Cinnamon.
Crigence
Level 1
Level 1
Posts: 5
Joined: Tue Mar 19, 2024 11:55 pm

Re: How to install Xanmod (or other custom kernels) whilst keeping Secure Boot enabled

Post by Crigence »

SMG wrote: Sat Apr 13, 2024 8:27 pm This should be at the top and emphasized.
It already is at the top, people should be reading it before they even get to the instructions. Maybe I should underline it just to be safe, though
SMG wrote: Sat Apr 13, 2024 8:27 pm I don't see where you mentioned what version of Linux Mint you are using.
At the time, I considered that to be an irrelevant detail, since I thought of this as being a much more hardware-specific issue than a Linux Mint specific one; LM is just the OS I happened to be trying to get this to work on. But I'll at least specify here that I'm using the most up-to-date Linux Mint Cinnamon edition at the time, which is Linux Mint 21.3.
SMG wrote: Sat Apr 13, 2024 8:27 pm Maybe this is something specific to an MSI motherboard that lets you do this because this does not sound like what one normally does to sign a file so it loads at boot time.
Yeah, I noticed that, hence why I tried to make it as clear as possible that this worked for me on my hardware and probably won't work for everyone else.
User avatar
SMG
Level 25
Level 25
Posts: 32397
Joined: Sun Jul 26, 2020 6:15 pm
Location: USA

Re: How to install Xanmod (or other custom kernels) whilst keeping Secure Boot enabled

Post by SMG »

Crigence wrote: Tue Apr 23, 2024 12:38 am
SMG wrote: Sat Apr 13, 2024 8:27 pm This should be at the top and emphasized.
It already is at the top, people should be reading it before they even get to the instructions. Maybe I should underline it just to be safe, though
I was seeing it was item #3 of that section was the basis for my comment not realizing you were meaning for all those numbered items in the first set to be read before doing anything. (A lot of people just dive in without reading everything first. :| ) However, I think the underline does a good job of emphasizing it so it looks good now.
Image
A woman typing on a laptop with LM20.3 Cinnamon.
Post Reply

Return to “Tutorials”