The first failure can be easily reproduced by trying to sign vmlinuz, The second one by using mkosi (https://github.com/systemd/mkosi): ``` $ mkosi genkey $ mkosi --distribution=ubuntu --architecture=arm64 --release=noble -p linux-image-generic,systemd,systemd-sysv,udev,dbus,systemd-boot --qemu-firmware=uefi qemu ```
-- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-meta in Ubuntu. https://bugs.launchpad.net/bugs/2058381 Title: Compression of ARM64 kernels causes problems with secureboot and systemd-boot Status in linux-meta package in Ubuntu: New Bug description: Hello, I'm trying to deploy an Ubuntu Server on arm64 with securbeoot and UKIs. I'm running into the problem that the shipped kernel is just a plain gzip compressed version of the kernel image. This causes two issues: - sbsign refuses to sign the kernel without uncompressing it first (Invalid DOS header magic) - systemd-stub/systemd-boot don't recognize this kernel as a valid binary (Bad kernel image: Load error\n Failed to execute Ubuntu Noble Numbat (development branch) (\EFI\Linux\ubuntu-6.8.0-11-generic.efi): Load error) Debian just ships an uncompressed kernel and Fedora ships a PE binary (which they can do because they dropped BIOS support, so this cannot be adopted for Ubuntu). Shipping an uncompressed kernel would be the easiest switch from my view, only causing problems on small /boot partitions or ESP partitions, respectively. The current version in Ubuntu causes unexpected behaviour with various bootchain tools. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-meta/+bug/2058381/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
