Ubuntu – Your kernels are unsigned. This system will fail to boot in a secure boot environment

Thanks for all the help and links. I spent a few hours this weekend and verified the following

Short answers

1. Yes, you can purge all of the linux-signed* packages, but you have to install linux-generic if you want automatic kernel updates to continue functioning properly. All of the grub, kernel, and initramfs re-configuration is handled automatically. The kernel install scripts really handle everything without any issues.

   apt-get purge linux-signed* linux-generic+

2. Yes, you can get rid of the unsigned kernels without any ill effects, but they will keep coming back after kernel updates. This cannot be solved by managing packages, but it is easy to fix with a short script.

   #!/bin/sh
   #
   # user script: 
   /etc/kernel/postinst.d/zzz-remove-unsigned-kernel
   #
   # after a new signed kernel image is installed, this script removes
   # the unsigned image
   #
   if [ -e "$2.efi.signed" ]; then
       echo "/etc/kernel/postinst.d/zzz-remove-unsigned-kernel: removing $2"
       rm "$2";
   fi
   

Longer answers

In the first case, the solution is really simple. It works pretty much as you would assume at first glance. Still I learned some helpful things about the ubuntu package structure for kernels. I wanted to be sure that I understood the side effects or consequences, but I also just like to see how things are built. Just as a side note, I use the generic kernel, but just swap generic for lowlatency or virtual if that is your thing. Also, everything here is based on 16.10 (yakkety). Here is the kernel package hierarchy:

• linux-signed-generic is a meta package, meaning that it doesn't include any code. It just has a list of dependencies, which always contains the complete installation of the newest kernel update. "Complete" means all of the kernel headers, the kernel image, the (detached) image signature, and extra kernel modules for just about every device that ubuntu can support.

• linux-generic is another meta package containing all of the same real packages except for the image signature. The actual kernel image is only contained in the linux-image-x.x.x-yy package. The linux-signed-image-x.x.x-yy package just contains a detached signature, and the build script attaches this sig to /boot/vmlinuz-x.x.x.yy-generic and creates /boot/vmlinuz-x.x.x.yy-generic.efi.signed. The script does not clean up the unsigned image.

• Kernel packages have special scripts in /etc/kernel that modify the default apt autoremove behavior. Normally, removing linux-signed-generic would flag all of the downstream packages for autoremoval, but this doesn't happen for kernel packages until there are two newer builds of the same version.

In the second case (trying to keep the signed kernel image only), there seem to be no consequences to deleting /boot/vmlinuz-x.x.x.yy-generic after the installation is complete. The two kernel images are exactly the same except for the signature, and they share all the same modules and config files. However, as soon as an updated kernel is installed, it will leave behind the unsigned image. Fortunately, there were easy hooks for running a script every time a new kernel is installed. Any scripts in /etc/kernel/postinst.d are executed by run-parts with two arguments $1 is the kernel version and $2 is the full path of the image (i.e. /boot/vmlinuz-x.x.x-yy-generic)

The only minor caveat is that removing the unsigned image has to be done after grub is finished updating grub.cfg. If /boot/vmlinuz-x.x.x-yy-generic.efi.signed exists, grub adds that image to grub.cfg and ignores the unsigned image. However, there must be somewhere in the process that still expects the unsigned image because grub fails to configure properly without it. The script that initiates grub configuration is /etc/kernel/postinst.d/zz-update-grub. I named my script zzz-remove-unsigned-kernel so that run-parts executes it after everything else is finished.

EDIT: I've used this script now with a few kernel build updates, and everything seems to work fine. I am using option 2 above (deleting unsigned kernels). I'm going to mark this as the correct answer.