How to compile source code of new kernel specifically for my pc hardware with uefi secure boot.

rupeshforu3

New Member
Joined
Feb 28, 2022
Messages
13
Reaction score
1
Credits
217
Hi I am Rupesh from India and I have pc i3 processor and h510 motherboard It has uefi. I have installed open suse tumblewood and all the packages have been updated. As the default kernel provided by open suse tumblewood is not working properly I want to compile source code of new kernel which is obtained from kernel.org and the kernel source code present in /usr/src/linux*** but I can't.

As the pc is uefi based I am getting lot of errors related to signing. I have installed all latest packages related to gcc, make, ctags, cscope, open ssh, open SSL, auto make, auto conf, cmake etc.,.

I have created the config file from the existing configuration of system using the following command

make localmodconfig

I have succeeded in compiling source code of new kernel using make command but when I execute the command

make install

I am getting error as

" certificate must have code signing extended key usage defined for secure boot ".

After some time vmlinux, initrd files are created but when I try to boot the newly compiled kernel from grub I am getting errors as

"bad shim signature"
"you need to load the kernel first"

I have tried a number of ways to compile successfully such as disabling secure boot in yast boot loader, selecting load all modules by verifying signature etc.,.

Currently my .config file consists of the following lines containing the word sig

Code:
CONFIG_SIGNALFD=y
CONFIG_KEXEC_SIG=y
CONFIG_KEXEC_SIG_FORCE=y
CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y
# CONFIG_STRICT_SIGALTSTACK_SIZE is not set
CONFIG_ACPI_TINY_POWER_BUTTON_SIGNAL=38
CONFIG_OLD_SIGSUSPEND3=y
CONFIG_COMPAT_OLD_SIGACTION=y
CONFIG_DYNAMIC_SIGFRAME=y
CONFIG_MODULE_SIG_FORMAT=y
CONFIG_MODULE_SIG=y
CONFIG_MODULE_SIG_FORCE=y
CONFIG_MODULE_SIG_ALL=y
# CONFIG_MODULE_SIG_SHA1 is not set
# CONFIG_MODULE_SIG_SHA224 is not set
CONFIG_MODULE_SIG_SHA256=y
# CONFIG_MODULE_SIG_SHA384 is not set
# CONFIG_MODULE_SIG_SHA512 is not set
CONFIG_MODULE_SIG_HASH="sha256"
CONFIG_TCP_MD5SIG=y
CONFIG_CFG80211_REQUIRE_SIGNED_REGDB=y
# DesignWare PCI Core Support
# end of DesignWare PCI Core Support
CONFIG_I2C_DESIGNWARE_CORE=y
# CONFIG_I2C_DESIGNWARE_SLAVE is not set
CONFIG_I2C_DESIGNWARE_PLATFORM=y
CONFIG_I2C_DESIGNWARE_BAYTRAIL=y
# CONFIG_I2C_DESIGNWARE_PCI is not set
# CONFIG_SPI_DESIGNWARE is not set
# CONFIG_SND_HDA_CODEC_SIGMATEL is not set
# CONFIG_USB_ISIGHTFW is not set
CONFIG_FS_VERITY_BUILTIN_SIGNATURES=y
CONFIG_INTEGRITY_SIGNATURE=y
# CONFIG_IMA_SIG_TEMPLATE is not set
CONFIG_IMA_APPRAISE_MODSIG=y
CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY=y
CONFIG_SIGNED_PE_FILE_VERIFICATION=y
# Certificates for signature checking
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
CONFIG_MODULE_SIG_KEY_TYPE_RSA=y
# CONFIG_MODULE_SIG_KEY_TYPE_ECDSA is not set
# end of Certificates for signature checking
CONFIG_CHECK_SIGNATURE=y
CONFIG_SIGNATURE=y


Kindly try to suggest how to compile the source code of kernel for uefi system with automatic key singing and how to boot the compiled kernel from grub2.

Regards,
Rupesh.
 
Last edited:


N

NorthWest

Guest
Since you have "succeeded in compiling source code of new kernel", just a guess here, but is secure boot disabled in the UEFI/BIOS?
 

Lord Boltar

Well-Known Member
Joined
Nov 24, 2020
Messages
1,671
Reaction score
1,122
Credits
12,483
By default, the machine’s UEFI firmware will only boot boot-loaders signed by a key embedded in the UEFI firmware.

Modern versions of Ubuntu will boot and install normally on most PCs with Secure Boot enabled. This is because Ubuntu’s first-stage EFI boot loader is signed by Microsoft. However, a Ubuntu developer notes that Ubuntu’s boot loader isn’t signed with a key that’s required by Microsoft’s certification process, but simply a key Microsoft says is “recommended.” This means that Ubuntu may not boot on all UEFI PCs. Users may have to disable Secure Boot to to use Ubuntu on some PCs.

Secure Boot can be disabled, which will exchange its security benefits for the ability to have your PC boot anything, just as older PCs with the traditional BIOS do. This is also necessary if you want to install an older version of Windows that wasn’t developed with Secure Boot in mind, such as Windows 7.

Add a Signing Key to the UEFI Firmware: Some Linux distributions may sign their boot loaders with their own key, which you can add to your UEFI firmware
 
OP
R

rupeshforu3

New Member
Joined
Feb 28, 2022
Messages
13
Reaction score
1
Credits
217
Hi let me know how to compile source code of kernel first.

At present I have made changes in bios secure boot as

Os type to "other os"
Secure boot mode to "standard"

After that I have disabled secure boot option in yast boot loader.

After that I have compiled kernel source code and this time also when I issue the command "make install" I am getting same error as " must have certificates....".

After reboot when I select the new kernel I am not getting shim error but instead I am getting error as "systemd: failed to load modules" After some time I am able to see message as reached target but there is no user login window.

Another thing I want to mention is that when I issue the command " make install " I am able to see messages as moving vmlinuz.5.11 to vmlinuz.5.11.old, initrd.5.11 to United.5.11.old etc.,. Also the modules newly compiled are going to overwrite the existing modules present in /lib/modules/kernel version.

My question is suppose I download the kernel source code from kernel.org and it's file name is kernel.5.13.1 and the present kernel I am running is 5.13.1 then how to compile source code of kernel and create kernel with file name vmlinuz.5.13.1-new and initrd.5.13.1-new and finally place the kernel modules under the directory /lib/modules/5.13.1-new
 

dos2unix

Well-Known Member
Joined
May 3, 2019
Messages
1,392
Reaction score
1,019
Credits
8,557
You could copy the shim from another distro.

You likely want one of the signed ones.
You will need to extract the shim and certs from a distro that has been licensed.

Now technically this is illegal. You can't just copy someone else's signed shim file
and make your own distro out of it. That distro paid for it to be licensed. You haven't.
Also that distro goes through a certification process in order to be licensed.
Your distro and kernel haven't gone through that process.

What you are trying to do technically defeats the whole reason for having secure boot.
Anyone could compile malicious code into a kernel and call it "secure".

You mentioned yast. I am pretty sure openSuSE has a signed shim.
I know for sure that SuSE Enterprise does.
 
Last edited:
OP
R

rupeshforu3

New Member
Joined
Feb 28, 2022
Messages
13
Reaction score
1
Credits
217
Pentium MMX was launched about 30 years ago and at that time video processing was new and there was no proper hardware just to play any video file I mean if you play any video file video playback stops sometimes and resume after some time.

At present there is lot of development in video hardware and at the same time new technologies in both hardware and software has been evolved. Coming into hardware CPUs with integrated graphics came and coming into software many video and audio codecs have been developed like h265, vpx, av1, aac, opus etc.,.Of these aac and opus are audio codecs which produces lowest disk size at reasonable quality and h265, av1 are video codecs which provides lowest disk size at reasonable quality.

Most of the time I download videos from youtube and other sources which are of large size. When you record a video in android smartphone it takes around 600 mb for 3 minutes 50 seconds and it uses h265 codec. It is difficult to store such files in my android smartphone.

Mostly I use Linux and ffmpeg tool to compress these video files. Of h265 and av1 aom encoders. av1 aom encoder provide lowest disk size at lowest video bitrate. H265 encoding and decoding are supported in all hardware including pc and smartphone but unfortunately av1 files are not supported in none but definitely I think that it will become defacto standard in future.

If h265 encoding takes 1 minute then aom av1 encoding takes about 10 minutes. If video acceleration is present the encoding takes about 7 minutes. Video acceleration come into action only if GPU is detected properly and the necessary drivers are installed. If the system can detect opecl version of GPU then av1 encoding takes about 5 minutes through ffmpeg.

As MMX was trending about 30 years ago I think that latest processors have vector instructions for video transcoding or encoding like avx2 or avx 512, simd etc.,. These new instructions are not present in 15 years back processors.

As 64 bit processor came into action around 20 years back nowadays processors are 10 times are greater in performance than old.

I think that all the kernels shipped by distros are not considering latest processors instruction set. I think that even windows is doing the same.

If opencl is detected properly any application can have improvement in performance about 10 percent.

I can't find any option to set opencl in the Linux kernel config file or in any of the kernel source files.

Atleast I am lucky to select option core 2 in the main .config file of kernel.

Finally my request is there any way to export instruct set of my cpu to the kernel configuration and so after compilation my video encoding takes less time than previous.

If it's a difficult task leave it and if it's possible try to suggest how to do so.
 

Willup23

New Member
Joined
Nov 4, 2021
Messages
1
Reaction score
0
Credits
12
Pentium MMX was launched about 30 years ago and at that time video processing was new and there was no proper hardware just to play any video file I mean if you play any video file video playback stops sometimes and resume after some time.

At present there is lot of development in video hardware and at the same time new technologies in both hardware and software has been evolved. Coming into hardware CPUs with integrated graphics came and coming into software many video and audio codecs have been developed like h265, vpx, av1, aac, opus etc.,.Of these aac and opus are audio codecs which produces lowest disk size at reasonable quality and h265, av1 are video codecs which provides lowest disk size at reasonable quality.

Most of the time I download videos from youtube and other sources which are of large size. When you record a video in android smartphone it takes around 600 mb for 3 minutes 50 seconds and it uses h265 codec. It is difficult to store such files in my android smartphone.

Mostly I use Linux and ffmpeg tool to compress these video files. Of h265 and av1 aom encoders. av1 aom encoder provide lowest disk size at lowest video bitrate. H265 encoding and decoding are supported in all hardware including pc and smartphone but unfortunately av1 files are not supported in none but definitely I think that it will become defacto standard in future.

If h265 encoding takes 1 minute then aom av1 encoding takes about 10 minutes. If video acceleration is present the encoding takes about 7 minutes. Video acceleration come into action only if GPU is detected properly and the necessary drivers are installed. If the system can detect opecl version of GPU then av1 encoding takes about 5 minutes through ffmpeg.

As MMX was trending about 30 years ago I think that latest processors have vector instructions for video transcoding or encoding like avx2 or avx 512, simd etc.,. These new instructions are not present in 15 years back processors.

As 64 bit processor came into action around 20 years back nowadays processors are 10 times are greater in performance than old.

I think that all the kernels shipped by distros are not considering latest processors instruction set. I think that even windows is doing the same.

If opencl is detected properly any application can have improvement in performance about 10 percent.

I can't find any option to set opencl in the Linux kernel config file or in any of the kernel source files.

Atleast I am lucky to select option core 2 in the main .config file of kernel.

Finally my request is there any way to export instruct set of my cpu to the kernel configuration and so after compilation my video encoding takes less time than previous.

If it's a difficult task leave it and if it's possible try to suggest how to do so.
Sorry, but none of this makes much sense. Saying that current kernels don't take full advantage of the newer CPU's is plain wrong.

Nothing you've posted so far has much of a clue as to WHY you want to compile your own kernel, or what you're hoping to gain from this exercise. Opensuse has a pretty stable kernel and I'm assuming you mean you're using TumbleWEED (no such thing as tumblewood). I'm running tumbleweed and every update I get includes the shim and I boot uefi with no problems. Why are you throwing video conversion into a thread about compiling a kernel? GPU and video processing come into play because you compile the tools like ffmpeg with the options to use those things and it has nothing to do with the kernel.

Can you clearly define what problem it is you're trying to solve?
 

X104825

Member
Joined
Feb 23, 2022
Messages
63
Reaction score
9
Credits
396
When it gets too complex you may want to save all your info and upload it to a drive and then re download Open Suse
 
$100 Digital Ocean Credit
Get a free VM to test out Linux!


Latest posts

Top