| === ubuntu_4321 is now known as ubuntu4321 | ||
| lissyx | tomreyn, right, but I still dont get why those mainline cannot signed | 07:16 |
|---|---|---|
| tjaalton | because every new version would have to be tested | 07:42 |
| tjaalton | not going to happen | 07:43 |
| tjaalton | they are provided as-is anyway | 07:43 |
| lissyx | I'm sorry but I dont get why signature would be tied to testing can't they be provided as-is but signed to be able to boot on secureboot? | 08:33 |
| lissyx | one has to manually install it anyway, so it's not like it's going to happen by accident | 08:34 |
| tjaalton | they need to be signed by the archive key to be useful | 08:36 |
| tjaalton | or | 08:36 |
| tjaalton | there are ppa builds of in-flight kernels which are signed by ppa keys, then tested to see that secure boot works, then passed on to be signed with the archive key on a private ppa | 08:37 |
| tjaalton | so, you could use a newer ppa kernel but it'd require importing the ppa key | 08:38 |
| tjaalton | unless I'm mistaken | 08:38 |
| lissyx | and archive key signature can only happen after testing? | 08:39 |
| lissyx | TBH from an outsider point of view that looks like bureaucracy with no real value in this specific case except making it mostly useless to have those kernels available in my case | 08:40 |
| tjaalton | tough | 08:44 |
| lissyx | I dont want to hurt anyone | 08:46 |
| lissyx | that's just what I can see from where I am, not knowing any of the backdoor processes | 08:46 |
| lissyx | tl;dr is that I'm willing to test mainline but that situation makes me unable to do it so far, so we cannot assert whether the bug is fixed or not | 08:47 |
| tjaalton | you have 6.13.0-2.2 for testing in ppa:canonical-kernel-team/ubuntu/bootstrap , then instructions on how to enable lockdown here https://canonical-kteam-docs.readthedocs-hosted.com/en/latest/reference/testing/secure_boot.html | 09:01 |
| tjaalton | also, mainline builds don't even carry the lockdown patches | 09:02 |
| lissyx | ok someone mentionned PPA was broken as well so if it works that's nice | 09:05 |
| lissyx | tjaalton, that documentation link seems to be private | 09:06 |
| lissyx | asks for an account | 09:06 |
| tjaalton | ah | 09:07 |
| tjaalton | let me see | 09:07 |
| tjaalton | should be public | 09:07 |
| tjaalton | I think | 09:07 |
| tjaalton | meh, isn't | 09:10 |
| tjaalton | the public docs are at https://canonical-kteam-docs.readthedocs-hosted.com/en/public/ and can't see that there | 09:10 |
| lissyx | this comment mentiosn the PPA being dead: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2095100/comments/8 | 09:15 |
| -ubottu:#ubuntu-kernel- Launchpad bug 2095100 in linux (Ubuntu) "kernel panic when setting application in fullscreen" [Undecided, New] | 09:15 | |
| lissyx | maybe it refers to a different one? | 09:15 |
| esembee | apw, now | 09:17 |
| tjaalton | Day changed to 19 Jan 2025 | 09:26 |
| tjaalton | 20:45 < juergh> bambinone, this is all tied to the move of the builders. It's a very brittle infrastructure with lots of dependencies. Upgrading the builders also introduced a whole new set of problems that need to be looked at. | 09:26 |
| tjaalton | latest on mainline ppa. it's not officially supported, so no ETA for it being fully live | 09:27 |
| lissyx | tjaalton, ok, so I'm not sure, does it means I can use the PPA you mentionned or just be patient for the generic PPA mentionned in the bug to be fixed? | 12:31 |
| tjaalton | if you need 6.13 final, built for plucky, use bootstrap ppa | 12:36 |
| tjaalton | but it still isn't signed | 12:36 |
| tjaalton | hmm | 12:36 |
| tjaalton | actually, plucky-proposed has a signed version | 12:36 |
| tjaalton | no it doesn't.. not yet :) | 12:37 |
| tjaalton | because lockdown needs to be tested, arm64/amd64 by me, s390x by others | 12:37 |
| tjaalton | maybe next week | 12:37 |
| tjaalton | the ppa version is signed with the ppa key | 12:38 |
| tjaalton | extract the tarball from http://ppa.launchpad.net/canonical-kernel-team/bootstrap/ubuntu/dists/plucky/main/signed/linux-generate-unstable-amd64/6.13.0-2.2 | 13:08 |
| tjaalton | it has ../control/uefi.crt | 13:08 |
| tjaalton | modify it to DER format; openssl x509 -in <version>/control/uefi.crt -inform PEM -outform DER -out MOK.der | 13:09 |
| tjaalton | then enroll it like on https://wiki.debian.org/SecureBoot | 13:09 |
| lissyx | i tried that, I already have an enrolled key for signing modules, but the kernel would still not boot | 13:38 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!