Compression of ARM64 kernels causes problems with secureboot and systemd-boot
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux-meta (Ubuntu) |
New
|
Undecided
|
Kleber Sacilotto de Souza |
Bug Description
Hello,
I'm trying to deploy an Ubuntu Server on arm64 with securbeoot and UKIs.
I'm running into the problem that the shipped kernel is just a plain gzip compressed version of the kernel image.
This causes two issues:
- sbsign refuses to sign the kernel without uncompressing it first (Invalid DOS header magic)
- systemd-
Debian just ships an uncompressed kernel and Fedora ships a PE binary (which they can do because they dropped BIOS support, so this cannot be adopted for Ubuntu).
Shipping an uncompressed kernel would be the easiest switch from my view, only causing problems on small /boot partitions or ESP partitions, respectively.
The current version in Ubuntu causes unexpected behaviour with various bootchain tools.
Changed in linux-meta (Ubuntu): | |
assignee: | nobody → Kleber Sacilotto de Souza (kleber-souza) |
The first failure can be easily reproduced by trying to sign vmlinuz, /github. com/systemd/ mkosi): ubuntu --architecture= arm64 --release=noble -p linux-image- generic, systemd, systemd- sysv,udev, dbus,systemd- boot --qemu- firmware= uefi qemu
The second one by using mkosi (https:/
```
$ mkosi genkey
$ mkosi --distribution=
```