Installed second kernel from source but getting errors booting up

Question

I have Ubuntu 22.04, originally with kernel 6.5.0-14-generic.

I followed this guide:

https://phoenixnap.com/kb/build-linux-kernel

to compile and install the latest kernel sources. However, now when I boot up I get this menu:

Ubuntu
Advanced Options for Ubuntu
UEFI Firmware settings

If I choose Ubuntu it says:

error: bad shim signature
error: you need to load the kernel first
Press any key to continue

If I choose Advanced Options for Ubuntu I get:

Ubuntu, with Linux 6.8.0-rc1+
Ubuntu, with Linux 6.8.0-rc1+ (recovery mode)
Ubuntu, with Linux 6.5.0-14-generic
Ubuntu, with Linux 6.5.0-14-generic (recovery mode)

If I choose 'Ubuntu, with Linux 6.8.0-rc1+' I get:

Loading Ubuntu, with Linux 6.8.0-rc1+...
error: bad shim signature
Loading initial ramdisk
error: you need to load the kernel first

If I chose 'Ubuntu, with Linux 6.5.0-14-generic' it works.

When I run find /boot/vmli* I get:

/boot/vmlinuz
/boot/vmlinuz-6.5.14-generic
/boot/vmlinuz-6.8.0-rc1+
/boot/vmlinuz.old

Where did I go wrong? I just want to understand why this hasn't worked as planned. It feels corrupted.

I'd like to understand how to install different kernels and be able to boot from them seamlessly.

is SecureBoot on? Kernels compiled from source won't work with SecureBoot unless you sign them yourself. Either turn SecureBoot off in BIOS, or sign the kernel for SecureBoot — Esther, Jan 29 '24 at 19:02
@Esther Thanks, that has made some progress. Only issue now is no grub menu appears to choose which kernel version to boot. It just boots straight in to the newer kernel. — intrigued_66, Jan 29 '24 at 19:29
https://askubuntu.com/questions/182248/why-is-grub-menu-not-shown-when-starting-my-computer — Esther, Jan 29 '24 at 19:58

Samveen · Answer 1 · 2024-03-09T04:57:28.740

Some background:

For secure boot, the BIOS has a set of embedded certificate that are used to check every item in the boot process. In case an item isn't signed by a certificate, it's not loaded, and the boot process stalls at that point.

The root certificate for all secure boot security, as of now, is Microsoft's Microsoft UEFI CA 2011 (to expire in 2026, and then replaced Microsoft UEFI CA 2023), which is present in all BIOS which have secure boot enabled on purchase.

For secure boot, Linux has a first stage boot loader called shim. The code for shim is shared across all the flavors of Linux, but each Linux distribution creates a shim binary with their own signing key's certificate embedded into it, and gets this signed with by Microsoft (with Microsoft UEFI CA 2011), which allows the signed instances of shim to be boot via the secure boot process.

The shim binary for Ubuntu (i.e. shim with Ubuntu's certificate embedded in it) loads the Ubuntu signed Grub which in turn loads the signed Ubuntu kernel.

Background ends here.

Your kernel isn't signed by Ubuntu. So it will not be recognized as secure, and thus not loaded. The initial ramdisk isn't required to be signed, and will be loaded, which leads to the above error.

To get around this restriction, Linux has a concept of the Machine Owner Key (or the MOK). You need to create an MOK and register it with the shim binary, after which your self-build and MOK signed kernel will boot just fine.

The Ubuntu secure boot documentation has a section titled How can I do non-automated signing of drivers? for creating and registering the MOK. Kernel signing using the MOK is documented at https://wiki.ubuntu.com/UEFI/SecureBoot/Signing

Installed second kernel from source but getting errors booting up

1 Answers1

Linked