kernel unsigned

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

kernel unsigned

Gerard ROBIN-3
Hello,
In my BULLSEYE box, when i make "apt upgrade" if a new kernel is installed
it is a signed kernel that is installed, but on my machine it is an unsigned
kernel that I chose to install. How can you force "apt" to install the
unsigned kernel?
For example:
the kernel linux-image-5.2.0-2-amd64-unsigned is the kernel used.
"apt upgrade" installs the kernel linux-image-5.2.0-3-amd64 (signed)

TIA

PS
sorry but I'm not subscribed to the list for now.

--
Gerard
____________________________
******************************
*  Created with "mutt 1.10.1"
*  under Debian Linux BULLSEYE
******************************

Reply | Threaded
Open this post in threaded view
|

Re: kernel unsigned

Sven Joachim
On 2019-10-03 12:05 +0200, Gerard ROBIN wrote:

> Hello,
> In my BULLSEYE box, when i make "apt upgrade" if a new kernel is installed
> it is a signed kernel that is installed, but on my machine it is an unsigned
> kernel that I chose to install.

Why did you do that in the first place?

> How can you force "apt" to install the unsigned kernel?
> For example:
> the kernel linux-image-5.2.0-2-amd64-unsigned is the kernel used.
> "apt upgrade" installs the kernel linux-image-5.2.0-3-amd64 (signed)

You could install linux-image-5.2.0-3-amd64-unsigned manually, but then
you lose the linux-image-amd64 metapackage and will miss automatic
upgrades to newer kernels which is probably not what you want.

What exactly bugs you about the signed kernel?  The kernel is so big
that the extra signatures hardly make a difference.

Cheers,
       Sven

Reply | Threaded
Open this post in threaded view
|

Re: kernel unsigned

Gerard ROBIN-3
On Thu, Oct 03, 2019 at 02:51:29PM +0200, Sven Joachim wrote:

> Date: Thu, 03 Oct 2019 14:51:29 +0200
> From: Sven Joachim <[hidden email]>
> To: Gerard ROBIN <[hidden email]>, [hidden email]
> Subject: Re: kernel unsigned
> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux)
> X-Spam-Flag: NO
>
> On 2019-10-03 12:05 +0200, Gerard ROBIN wrote:
>
> > Hello,
> > In my BULLSEYE box, when i make "apt upgrade" if a new kernel is installed
> > it is a signed kernel that is installed, but on my machine it is an unsigned
> > kernel that I chose to install.
>
> Why did you do that in the first place?
because I bought my machine without OS and there is only linux on my machine.

> > How can you force "apt" to install the unsigned kernel?
> > For example:
> > the kernel linux-image-5.2.0-2-amd64-unsigned is the kernel used.
> > "apt upgrade" installs the kernel linux-image-5.2.0-3-amd64 (signed)
>
> You could install linux-image-5.2.0-3-amd64-unsigned manually, but then
> you lose the linux-image-amd64 metapackage and will miss automatic
> upgrades to newer kernels which is probably not what you want.
I did not know that.

> What exactly bugs you about the signed kernel?  The kernel is so big
> that the extra signatures hardly make a difference.
I read somewhere that the signed kernel was for the "secure boot" of
microsoft and I have nothing of microsoft on my machine, so that's why
I installed the unsigned kernel.

Thank you for your clarification.

--
Gerard
____________________________
******************************
*  Created with "mutt 1.10.1"
*  under Debian Linux BULLSEYE
******************************

Reply | Threaded
Open this post in threaded view
|

Re: kernel unsigned

deloptes-2
Gerard ROBIN wrote:

>> What exactly bugs you about the signed kernel?  The kernel is so big
>> that the extra signatures hardly make a difference.
> I read somewhere that the signed kernel was for the "secure boot" of
> microsoft and I have nothing of microsoft on my machine, so that's why
> I installed the unsigned kernel.

does someone know if signed is needed for UEFI to work properly in some
configurations?


Reply | Threaded
Open this post in threaded view
|

Re: kernel unsigned

Étienne Mollier
deloptes, on 2019-10-03:

> Gerard ROBIN wrote:
>
> >> What exactly bugs you about the signed kernel?  The kernel is so big
> >> that the extra signatures hardly make a difference.
> > I read somewhere that the signed kernel was for the "secure boot" of
> > microsoft and I have nothing of microsoft on my machine, so that's why
> > I installed the unsigned kernel.
>
> does someone know if signed is needed for UEFI to work properly in some
> configurations?
Good day deloptes,

I don't know if someone else hit some other corner base, but
signed kernels, bootloaders, drivers, and the like are only
required if one wishes to, or has to, boot with UEFI Secure Boot
enabled.  That's the only configuration I can think of where it
would be needed.

Kind Regards,  :)
--
Étienne Mollier <[hidden email]>
Fingerprint:  5ab1 4edf 63bb ccff 8b54  2fa9 59da 56fe fff3 882d



signature.asc (673 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: kernel unsigned

Steve McIntyre
[hidden email] wrote:

>deloptes, on 2019-10-03:
>> Gerard ROBIN wrote:
>>
>> >> What exactly bugs you about the signed kernel?  The kernel is so big
>> >> that the extra signatures hardly make a difference.
>> > I read somewhere that the signed kernel was for the "secure boot" of
>> > microsoft and I have nothing of microsoft on my machine, so that's why
>> > I installed the unsigned kernel.
>>
>> does someone know if signed is needed for UEFI to work properly in some
>> configurations?
>
>Good day deloptes,
>
>I don't know if someone else hit some other corner base, but
>signed kernels, bootloaders, drivers, and the like are only
>required if one wishes to, or has to, boot with UEFI Secure Boot
>enabled.  That's the only configuration I can think of where it
>would be needed.

It's only *needed* if you're doing SB, but even if you have SB
disabled there is basically no downside to having the signed packages
installed. Things will work just fine, just taking a *tiny* bit more
disk space. Hence we've defaulted to doing things that way - everybody
will get a consistent set of packages that way.

--
Steve McIntyre, Cambridge, UK.                                [hidden email]
  Armed with "Valor": "Centurion" represents quality of Discipline,
  Honor, Integrity and Loyalty. Now you don't have to be a Caesar to
  concord the digital world while feeling safe and proud.

Reply | Threaded
Open this post in threaded view
|

Re: kernel unsigned

Étienne Mollier
On 05/10/2019 02.00, Steve McIntyre wrote:

> [hidden email] wrote:
>> deloptes, on 2019-10-03:
>>> Gerard ROBIN wrote:
>>>
>>>>> What exactly bugs you about the signed kernel?  The kernel is so big
>>>>> that the extra signatures hardly make a difference.
>>>> I read somewhere that the signed kernel was for the "secure boot" of
>>>> microsoft and I have nothing of microsoft on my machine, so that's why
>>>> I installed the unsigned kernel.
>>>
>>> does someone know if signed is needed for UEFI to work properly in some
>>> configurations?
>>
>> Good day deloptes,
>>
>> I don't know if someone else hit some other corner base, but
>> signed kernels, bootloaders, drivers, and the like are only
>> required if one wishes to, or has to, boot with UEFI Secure Boot
>> enabled.  That's the only configuration I can think of where it
>> would be needed.
>
> It's only *needed* if you're doing SB, but even if you have SB
> disabled there is basically no downside to having the signed packages
> installed. Things will work just fine, just taking a *tiny* bit more
> disk space. Hence we've defaulted to doing things that way - everybody
> will get a consistent set of packages that way.
>
Good Day Steve,

Don't get me wrong, I merely answered the question from deloptes
in somewhat dry mathematical terms.  Maybe it would have been
welcome that I add that, even if the signature is present, it
does no harm outside SB context.  Debian's unsigned components
work almost everywhere except in SB context, while Debian's
signed elements do work almost everywhere, /including/ in SB
context.  So the second case makes absolute sense as being the
default in Debian.

SB support is a new, most welcome, capability that landed in
Debian Buster, and I'm thankful for it made it there.  There may
still be a few rough edges for the newcomer, like Linux kernel's
lockdown mode, while it comes to loading proprietary drivers
indeed, but as far as I could see, it just works®.

Thank You!  :)
--
Étienne Mollier <[hidden email]>
Fingerprint:  5ab1 4edf 63bb ccff 8b54  2fa9 59da 56fe fff3 882d


signature.asc (673 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: kernel unsigned

deloptes-2
In reply to this post by Étienne Mollier
Étienne Mollier wrote:

> I don't know if someone else hit some other corner base, but
> signed kernels, bootloaders, drivers, and the like are only
> required if one wishes to, or has to, boot with UEFI Secure Boot
> enabled.  That's the only configuration I can think of where it
> would be needed.

Hi,
Yes, thank you, this is why I am asking, cause I have a company notebook
with secureboot and I would like to boot from USB stick - without messing
with BIOS.
I started reading how to configure UEFI etc. and also experimented on a USB
stick, but found out that my own produced kernel does not boot. So I think
this information is exactly what I was missing back then

thanks and regards