[Bug 2121352] Re: [FFe] arm64: Build stubble kernel

Tobias Heider 2121352 at bugs.launchpad.net
Fri Oct 3 14:21:22 UTC 2025 

** Changed in: stubble (Ubuntu Questing)
       Status: Triaged => Fix Released

** Changed in: stubble (Ubuntu Questing)
     Assignee: Andy Whitcroft (apw) => Tobias Heider (tobhe)

** Description changed:

  For arm64 we want our default signed kernel to be bundled with stubble and dtbs.
  This bug tracks progress on the integration work needed.
  
  stubble will allow us to load device trees automatically as part of an
  EFI boot stub on Qualcomm Snapdragon laptops and have them
  signed/verified with UEFI secure boot. A more detailed explanation for
  how and why we plan this is available in the form of a spec at
  https://discourse.ubuntu.com/t/spec-stubble-a-secure-boot-friendly-
  device-tree-loading-efi-stub/66560
  
  Status
  ======
  [X] Package stubble - https://launchpad.net/ubuntu/+source/stubble (needs another update)
  [X] MIR - https://bugs.launchpad.net/ubuntu/+source/stubble/+bug/2120322
  [X] Get signing request reviewed - https://github.com/rhboot/shim-review/issues/484
  [X] Upload latest stubble changes
  [X] Integrate into kernel build
- [ ] Drop flash-kernel dependency from ubuntu-x1*-settings
- [ ] Update debian-cd to remove dtb hacks
+ [X] Drop flash-kernel dependency from ubuntu-x1*-settings
+ [X] Update debian-cd to remove dtb hacks
  
  [ stubble 4-0ubuntu2 FFe - done ]
  
  For convenience reasons we would like to add some of the kernel packaging/signing logic in the stubble package instead of putting it into linux-signed
  directly. This would include a new binary package including a kernel postinst script that builds a stubble bundled kernel. The new package pulled in by linux-signed as a dependency.
  While we are there I would also like to include a patch to hide a verbose error message in stubble behind the debug flag.
  
  The risk of the stubble upload itself should be pretty low since it is a
  new package that doesn't yet have any reverse dependencies.
  
  The planned changes are available in the upstream repo at https://github.com/ubuntu/stubble/tree/ubuntu/main
  PPA builds will be available in https://launchpad.net/~apw/+archive/ubuntu/signing/+packages where we test the entire kernel build + signing pipeline
  
  [ ubuntu-x1*-settings FFe ]
  
  Once the kernel has migrated to main, we want to drop the flash-kernel
  dependency from our ubuntu-x1*-settings packages since that isn't needed
  anymore.
  
  flash-kernel is currently used to install a kernel update hook that will
  copy the device tree from a freshly installed kernel to /boot where it
  will be registered by update-grub. With stubble this is not necessary
  anymore.
  
  I have verified that already installed dtbs on /boot do not get deleted
  by removing flash-kernel, so this won't break currently working pre-
  stubble kernels that already have a dtb available.
  
  MRs are available here:
  https://code.launchpad.net/~tobhe/ubuntu/+source/ubuntu-x13s-settings/+git/ubuntu-x13s-settings/+merge/493052
  https://code.launchpad.net/~tobhe/ubuntu/+source/ubuntu-x1e-settings/+git/ubuntu-x1e-settings/+merge/493046
  
  PPA builds are in https://launchpad.net/~tobhe/+archive/ubuntu/hamoa

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubuntu-x13s-settings in Ubuntu.
https://bugs.launchpad.net/bugs/2121352

Title:
  [FFe] arm64: Build stubble kernel

Status in linux-meta package in Ubuntu:
  Fix Released
Status in linux-signed package in Ubuntu:
  Fix Released
Status in stubble package in Ubuntu:
  Fix Released
Status in ubuntu-x13s-settings package in Ubuntu:
  Fix Released
Status in ubuntu-x1e-settings package in Ubuntu:
  Fix Released
Status in linux-meta source package in Questing:
  Fix Released
Status in linux-signed source package in Questing:
  Fix Released
Status in stubble source package in Questing:
  Fix Released
Status in ubuntu-x13s-settings source package in Questing:
  Fix Released
Status in ubuntu-x1e-settings source package in Questing:
  Fix Released

Bug description:
  For arm64 we want our default signed kernel to be bundled with stubble and dtbs.
  This bug tracks progress on the integration work needed.

  stubble will allow us to load device trees automatically as part of an
  EFI boot stub on Qualcomm Snapdragon laptops and have them
  signed/verified with UEFI secure boot. A more detailed explanation for
  how and why we plan this is available in the form of a spec at
  https://discourse.ubuntu.com/t/spec-stubble-a-secure-boot-friendly-
  device-tree-loading-efi-stub/66560

  Status
  ======
  [X] Package stubble - https://launchpad.net/ubuntu/+source/stubble (needs another update)
  [X] MIR - https://bugs.launchpad.net/ubuntu/+source/stubble/+bug/2120322
  [X] Get signing request reviewed - https://github.com/rhboot/shim-review/issues/484
  [X] Upload latest stubble changes
  [X] Integrate into kernel build
  [X] Drop flash-kernel dependency from ubuntu-x1*-settings
  [X] Update debian-cd to remove dtb hacks

  [ stubble 4-0ubuntu2 FFe - done ]

  For convenience reasons we would like to add some of the kernel packaging/signing logic in the stubble package instead of putting it into linux-signed
  directly. This would include a new binary package including a kernel postinst script that builds a stubble bundled kernel. The new package pulled in by linux-signed as a dependency.
  While we are there I would also like to include a patch to hide a verbose error message in stubble behind the debug flag.

  The risk of the stubble upload itself should be pretty low since it is
  a new package that doesn't yet have any reverse dependencies.

  The planned changes are available in the upstream repo at https://github.com/ubuntu/stubble/tree/ubuntu/main
  PPA builds will be available in https://launchpad.net/~apw/+archive/ubuntu/signing/+packages where we test the entire kernel build + signing pipeline

  [ ubuntu-x1*-settings FFe ]

  Once the kernel has migrated to main, we want to drop the flash-kernel
  dependency from our ubuntu-x1*-settings packages since that isn't
  needed anymore.

  flash-kernel is currently used to install a kernel update hook that
  will copy the device tree from a freshly installed kernel to /boot
  where it will be registered by update-grub. With stubble this is not
  necessary anymore.

  I have verified that already installed dtbs on /boot do not get
  deleted by removing flash-kernel, so this won't break currently
  working pre-stubble kernels that already have a dtb available.

  MRs are available here:
  https://code.launchpad.net/~tobhe/ubuntu/+source/ubuntu-x13s-settings/+git/ubuntu-x13s-settings/+merge/493052
  https://code.launchpad.net/~tobhe/ubuntu/+source/ubuntu-x1e-settings/+git/ubuntu-x1e-settings/+merge/493046

  PPA builds are in https://launchpad.net/~tobhe/+archive/ubuntu/hamoa

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-meta/+bug/2121352/+subscriptions

More information about the foundations-bugs mailing list