Creating a custom kernel with a valid signature

I looked up "How to create a custom kernel on the web and it led me to www.kernel.org. Following instructions, I downloaded and configured (with a fair amount of effort), linux-5.10.15. I forgot to add the trailing stuff after the “linux-5.10.15”. To my delight, my configuration eventually worked, and I got to the point of having done a “make install”, and there it was in my boot directory, vmlinuz->linux-5.10.15.

I was trying to figure out grub2 just enough to add a new kernel, and not making any headway. Along comes dnfdragora-updater, which automatically installed a new kernel as well as “my” kernel, linux-5.10.15.

When I tried to kick off my kernel, I got the error message, "invalid signature, can’t run kernel, and back to the grub menu.

My current questions are: How do I remove a kernel from grub2 menu? How do I create a kernel that has a valid signature so it will run? And finally, isn’t there some way to manipulate grub2 so that I can just install a kernel to the list?

I have tried to do my research, but much of the “advice” I run across is very dated, talking about the linux 2.x kernel.

I used to compile kernels, but they didn’t require signatures, and I could use just a few grub commands directly from the grub> prompt to install a new kernel.

I’d appreciate advice, but I know the part about actually configuring and compiling the kernel and modules, it’s the signature and grub2 that have me kerfuffled.

Thank you.

BryGuy

You’re running into the chain of protection which keeps the system from booting malware. On modern UEFI systems, it’s possible for rootkits to deploy themselves into the firmware in ways which make it nearly impossible to detect or remove. Secure boot is a guard against that — but requires everything in the boot chain to be signed.

Docs on this are at UEFI Secure Boot Guide — that’s about 5 years old but I believe is still mostly correct. We also have current docs specifically around signed modules at Working with Kernel Modules :: Fedora Docs.

For production use, it’s absolutely worth figuring out how to do all of that. For playing around, you may just find it easier to disable Secure Boot.