Ubuntu
linux-meta package

Compression of ARM64 kernels causes problems with secureboot and systemd-boot

Bug #2058381 reported by Cornelius Hoffmann
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux-meta (Ubuntu)
New
Undecided
Kleber Sacilotto de Souza

Bug Description

Hello,

I'm trying to deploy an Ubuntu Server on arm64 with securbeoot and UKIs.
I'm running into the problem that the shipped kernel is just a plain gzip compressed version of the kernel image.
This causes two issues:
- sbsign refuses to sign the kernel without uncompressing it first (Invalid DOS header magic)
- systemd-stub/systemd-boot don't recognize this kernel as a valid binary (Bad kernel image: Load error\n Failed to execute Ubuntu Noble Numbat (development branch) (\EFI\Linux\ubuntu-6.8.0-11-generic.efi): Load error)

Debian just ships an uncompressed kernel and Fedora ships a PE binary (which they can do because they dropped BIOS support, so this cannot be adopted for Ubuntu).
Shipping an uncompressed kernel would be the easiest switch from my view, only causing problems on small /boot partitions or ESP partitions, respectively.

The current version in Ubuntu causes unexpected behaviour with various bootchain tools.

Revision history for this message
Cornelius Hoffmann (cornelicorn) wrote :

The first failure can be easily reproduced by trying to sign vmlinuz,
The second one by using mkosi (https://github.com/systemd/mkosi):
```
$ mkosi genkey
$ mkosi --distribution=ubuntu --architecture=arm64 --release=noble -p linux-image-generic,systemd,systemd-sysv,udev,dbus,systemd-boot --qemu-firmware=uefi qemu
```

Brett Grandbois (brettgrand)
Changed in linux-meta (Ubuntu):
assignee: nobody → Kleber Sacilotto de Souza (kleber-souza)
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.