Dealing with third-party kernels

Where is my kernel coming from?

Some installations need custom kernels to work, and others may wish to test custom kernels that fix one-off issues. Canonical provides such kernels from a PPA: ~canonical-kernel-team PPA.

Other kernels may be provided via other PPAs, by third-parties.

One important thing to think about is that you should only ever install a kernel from a source you trust. The best source for a kernel remains the Ubuntu archive.

If you decide you trust a kernel coming from a PPA; you might want to also enroll the signing key for that PPA in your firmware to allow loading these signed, third-party kernels.

How do I enroll a PPA signing key?


First, make sure you trust the owner of the PPA. This is important, as you would be adding a signing key that is unlikely to change, will allow trusting any UEFI binary built and signed from that PPA.

Navigate to the PPA URL (<user>/<ppa name>/ubuntu); then under dists/<codename>/signed; then the right name for the product, such as linux-amd64.

Retrieve the signed.tar.gz file and extract it after verifying that the files integrity is valid (there are SHA256SUMS files included for that purpose).

Navigate to where the files are extracted, into the <version> directory, then in the control directory.

From there; enroll the uefi.crt certificate. It needs to be converted to DER format first (it is in PEM format).

How do I enroll a signing key from a third-party archive, not from Launchpad?

You will need to ask for the public certificate from the publisher of the package.

UEFI/SecureBoot/ThirdPartyKernels (last edited 2019-04-05 16:01:39 by cyphermox)