Thanks for all the help and links. I spent a few hours this weekend and verified the following
Short answers
- Yes, you can purge all of the
linux-signed*
packages, but you have to install linux-generic
if you want automatic kernel updates to continue functioning properly. All of the grub, kernel, and initramfs re-configuration is handled automatically. The kernel install scripts really handle everything without any issues.apt-get purge linux-signed* linux-generic+
Yes, you can get rid of the unsigned kernels without any ill effects, but they will keep coming back after kernel updates. This cannot be solved by managing packages, but it is easy to fix with a short script.
#!/bin/sh
#
# user script:
/etc/kernel/postinst.d/zzz-remove-unsigned-kernel
#
# after a new signed kernel image is installed, this script removes
# the unsigned image
#
if [ -e "$2.efi.signed" ]; then
echo "/etc/kernel/postinst.d/zzz-remove-unsigned-kernel: removing $2"
rm "$2";
fi
Longer answers
In the first case, the solution is really simple. It works pretty much as you would assume at first glance. Still I learned some helpful things about the ubuntu package structure for kernels. I wanted to be sure that I understood the side effects or consequences, but I also just like to see how things are built. Just as a side note, I use the generic kernel, but just swap generic
for lowlatency
or virtual
if that is your thing. Also, everything here is based on 16.10 (yakkety). Here is the kernel package hierarchy:
linux-signed-generic
is a meta package, meaning that it doesn't include any code. It just has a list of dependencies, which always contains the complete installation of the newest kernel update. "Complete" means all of the kernel headers, the kernel image, the (detached) image signature, and extra kernel modules for just about every device that ubuntu can support.
linux-generic
is another meta package containing all of the same real packages except for the image signature.
The actual kernel image is only contained in the linux-image-x.x.x-yy
package. The linux-signed-image-x.x.x-yy
package just contains a detached signature, and the build script attaches this sig to /boot/vmlinuz-x.x.x.yy-generic
and creates /boot/vmlinuz-x.x.x.yy-generic.efi.signed
. The script does not clean up the unsigned image.
Kernel packages have special scripts in /etc/kernel
that modify the default apt autoremove behavior. Normally, removing linux-signed-generic
would flag all of the downstream packages for autoremoval, but this doesn't happen for kernel packages until there are two newer builds of the same version.
In the second case (trying to keep the signed kernel image only), there seem to be no consequences to deleting /boot/vmlinuz-x.x.x.yy-generic
after the installation is complete. The two kernel images are exactly the same except for the signature, and they share all the same modules and config files. However, as soon as an updated kernel is installed, it will leave behind the unsigned image. Fortunately, there were easy hooks for running a script every time a new kernel is installed. Any scripts in /etc/kernel/postinst.d
are executed by run-parts
with two arguments $1
is the kernel version and $2
is the full path of the image (i.e. /boot/vmlinuz-x.x.x-yy-generic
)
The only minor caveat is that removing the unsigned image has to be done after grub is finished updating grub.cfg
. If /boot/vmlinuz-x.x.x-yy-generic.efi.signed
exists, grub adds that image to grub.cfg
and ignores the unsigned image. However, there must be somewhere in the process that still expects the unsigned image because grub fails to configure properly without it. The script that initiates grub configuration is /etc/kernel/postinst.d/zz-update-grub
. I named my script zzz-remove-unsigned-kernel
so that run-parts
executes it after everything else is finished.
EDIT: I've used this script now with a few kernel build updates, and everything seems to work fine. I am using option 2 above (deleting unsigned kernels). I'm going to mark this as the correct answer.
Best Answer
I ended reverting to the default kernel from ubuntu and it all workend as expected.