vmlinuz-4.18.12-041812-generic has invalid signature
vmlinuz-4.18.12-041812-generic has invalid signature
https://askubuntu.com/questions/1081472/vmlinuz-4-18-12-041812-generic-has-invalid-signature
39
I upgraded my kernel today with ukuu, and since then I cant boot because i’m getting this errors:
error: /boot/vmlinuz-4.18.12-041812-generic has invalid signature error: you need to load the kernel first
I have dual boot with windows 10 and ubuntu 18.10 (Upgraded today)
Update: I managed to boot to older kernel that i chose from “Advanced options for Ubuntu” in grub
But I need to upgrade my kernel and if I do that I still get the same problem…
dual-bootkernel
Share Improve this question Follow edited Oct 6, 2018 at 16:23 asked Oct 6, 2018 at 15:52 Nadav Shabtai’s user avatar Nadav Shabtai 78122 gold badges77 silver badges99 bronze badges
I solved my problem following this tutorial to sign /boot/vmlinuz file for secure boot, Just notice the last part of the tutorial –
Nadav Shabtai
Commented Oct 14, 2018 at 7:06
I'm experiencing this same problem now after updating the firmware of my Lenovo T480 and I don't understand why the older kernels still work. –
juzzlin
Commented Sep 23, 2019 at 9:00
Add a comment 3 Answers Sorted by: 30
https://github.com/jakeday/linux-surface/blob/master/SIGNING.md has more specific instructions on kernel signing (adapted from the same tutorial linked in the accepted answer). The instructions are reproduced in full as follows:
Signing a custom kernel for Secure Boot
Instructions are for ubuntu, but should work similar for other distros, if they are using shim and grub as bootloader. If your distro is not using shim (e.g. Linux Foundation Preloader), there should be similar steps to complete the signing (e.g. HashTool instead of MokUtil for LF Preloader) or you can install shim to use instead. The ubuntu package for shim is called shim-signed, but please inform yourself on how to install it correctly, so you do not mess up your bootloader.
Since the most recent GRUB2 update (2.02+dfsg1-5ubuntu1) in Ubuntu, GRUB2 does not load unsigned kernels anymore, as long as Secure Boot is enabled. Users of Ubuntu 18.04 will be notified during upgrade of the grub-efi package, that this kernel is not signed and the upgrade will abort.
Thus you have three options to solve this problem:
You sign the kernel yourself.
You use a signed, generic kernel of your distro.
You disable Secure Boot.
Since option two and three are not really viable, these are the steps to sign the kernel yourself.
Instructions adapted from the Ubuntu Blog. Before following, please backup your /boot/EFI directory, so you can restore everything. Follow these steps on your own risk.
Create the config to create the signing key, save as mokconfig.cnf:
This definition stops the following lines failing if HOME isn’t
defined.
HOME = . RANDFILE = $ENV::HOME/.rnd [ req ] distinguished_name = req_distinguished_name x509_extensions = v3 string_mask = utf8only prompt = no
[ req_distinguished_name ]
countryName =
[ v3 ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical,CA:FALSE extendedKeyUsage = codeSigning,1.3.6.1.4.1.311.10.3.6 nsComment = “OpenSSL Generated Certificate”
Adjust all parts with <YOUR*> to your details.
Create the public and private key for signing the kernel:
openssl req -config ./mokconfig.cnf
-new -x509 -newkey rsa:2048
-nodes -days 36500 -outform DER
-keyout “MOK.priv”
-out “MOK.der”
Convert the key also to PEM format (mokutil needs DER, sbsign needs PEM):
openssl x509 -in MOK.der -inform DER -outform PEM -out MOK.pem
Enroll the key to your shim installation:
sudo mokutil –import MOK.der
You will be asked for a password, you will just use it to confirm your key selection in the next step, so choose any.
Restart your system. You will encounter a blue screen of a tool called MOKManager. Select "Enroll MOK" and then "View key". Make sure it is your key you created in step 2. Afterwards continue the process and you must enter the password which you provided in step 4. Continue with booting your system.
Note: if MOKManger does not load on reboot then change the boot order. link
Verify your key is enrolled via:
sudo mokutil –list-enrolled
Sign your installed kernel (it should be at /boot/vmlinuz-[KERNEL-VERSION]-surface-linux-surface):
sudo sbsign –key MOK.priv –cert MOK.pem /boot/vmlinuz-[KERNEL-VERSION]-surface-linux-surface –output /boot/vmlinuz-[KERNEL-VERSION]-surface-linux-surface.signed
Copy the initram of the unsigned kernel, so we also have an initram for the signed one.
sudo cp /boot/initrd.img-[KERNEL-VERSION]-surface-linux-surface{,.signed}
Update your grub-config
sudo update-grub
Reboot your system and select the signed kernel. If booting works, you can remove the unsigned kernel:
sudo mv /boot/vmlinuz-[KERNEL-VERSION]-surface-linux-surface{.signed,} sudo mv /boot/initrd.img-[KERNEL-VERSION]-surface-linux-surface{.signed,} sudo update-grub
Now your system should run under a signed kernel and upgrading GRUB2 works again. If you want to upgrade the custom kernel, you can sign the new version easily by following above steps again from step seven on. Thus BACKUP the MOK-keys (MOK.der, MOK.pem, MOK.priv). Share Improve this answer Follow edited Aug 25, 2022 at 14:19 community wiki
2 revs, 2 users 99% prusswan
2
Ecxellent response, i couldn't have got there with the ubuntu instructions alone –
Preston
Commented Jan 21, 2020 at 15:49
3
Great shortcut to rename and overwrite files with postfixes. –
Tom
Commented Mar 17, 2020 at 6:41
2
Very detailed answer. It worked great for me with Ubuntu 20.04 and kernel 5.8. –
Andyc
Commented Sep 6, 2020 at 5:48
1
This needs to be the accepted answer. –
Saren Tasciyan
Commented Sep 10, 2020 at 22:05
Jake Day's Linux Surface repo is no longer actively maintained and the page provided here is gone. –
Sam Hobbs
Commented Nov 30, 2021 at 21:24
Show 3 more comments 29
Instead of signing the kernel in question, I just turned off Secure Boot in the BIOS/UEFI menu of my laptop.
You can usually enter the menu by pressing a special key during boot, you can google the specific one for your device or it might even be shown on screen during boot. Share Improve this answer Follow edited Jun 18, 2019 at 17:55 answered Apr 3, 2019 at 1:17 xjcl’s user avatar xjcl 65399 silver badges1111 bronze badges
2
Thanks! I've just updated my BIOS and forgot to disable that! –
Lucas Bustamante
Commented Jun 17, 2019 at 19:27
This is working for me! –
Jonathan
Commented Apr 12, 2020 at 20:04
This worked on Ubuntu 20.04 👍🏻 –
Anirudha Mahale
Commented Aug 1, 2020 at 13:10
Fortunately that answer cam first from Google. Also forgot about that secure boot thing, after a BIOS update. Scary problem that has a simple solution. Thanks! –
Déjà vu
Commented Aug 18, 2020 at 16:33
Thanks. After updating bios, i had this error. I was afraid to waste my time by downloading ubuntu iso for making live CD in USB. –
Edip Ahmet
Commented May 4, 2021 at 17:41
Show 3 more comments 1
I had this issue after updating today. Changing the bootloader to shimx64.efi seems to have fixed it.