How to upgrade Zorin 16.2 to a newer kernel

Tutorials & Guides
1

In this tutorial we are going to explain how to upgrade the Kernel of Zorin to a newer or latest Kernel.
The reasons for upgrading are not only to be found in the necessity for latest and new drivers, but as well in better battery-management, as well in better processor-management, as well for developpers in global.

Frist we are going to install Ubuntu's Mainline Tool that helps us managing Kernels in a decent and easy to interprete GUI.

sudo add-apt-repository ppa:cappelikan/ppa

sudo apt update

sudo apt install -y mainline

After the installation you'll find Ubuntu Mainline Kernel ...... in your Global Menu of Zorin.
In the Kernels higher than 5.15.xxx there is a global upgrade of the libssl3 package. This package is not installable in Zorin, because Zorin is based on Ubuntu 20.04 and on that point all is running behind of the latest development.
So we are going to drag in the REPO of Ubuntu 22.04 Jammy Jellyfish

> sudo add-apt-repository "deb http://ca.archive.ubuntu.com/ubuntu jammy main"

This will add the REPO of 22.04 into Zorin ! Run after the adding a simpel

sudo apt update

sudo apt install libssl3

This will install the required pack for the latest kernels higher than 5.15.xxx
Remove now the REPO of Ubuntu 22.04 before you do anything else

> sudo add-apt-repository --remove "deb http://ca.archive.ubuntu.com/ubuntu jammy main"

sudo apt update

reloading the indexes of your Zorin installation.

Now we are simply install a newer Kernel. I did the install of version 6.0.9 -xxxx what is the latest stable kernel for Zorin to use.
Open Ubuntu Mainline Tool and search in the field for 6.0.9 kernel and simply click install
During this install you get a prompt for upgrading some requirements. click YES on that point Mainline will install the Kernel as well as some upgrade system packs (THIS WILL NOT BREAK THE SYSTEM AT ALL !!!)
Click close screen when the installer is done.
Reboot, and you are now on Kernel 6.0.9 or the kernel you have installed.

Ubuntu Mainline offers as well an uninstaller of older kernels , if you don't want the remains of 5.15 on the system just use the tool for easy removal (one by one ! )
You'll have Zorin 16.2 ,Gnome 3.38 shell running on the latest stable kernel.
Better Boot-times is a benefit on the way lol .

2 Likes
2

A piece of advise extra and a warning :

There is an update for Kernel 6.0.9 , being Kernel 6.0.19 -- that is stable and good : no issues at all with Zorin 16.2

However, the mainline tool will show that Kernel 6.1.15 is also ready for testing and download.
Don't install this Kernel yet. It causes total freezes of Gnome after resume from suspend. I saw there is an issue on 'reloading' the Nouveau-driver when resuming from suspend. Reported of course as a 'bug' by many now.

So keep away from now from the latest Kernel 6.1.xxxxxxx as there seem to be a lot of bugs.
The total freeze requiers a Hard Reset ... no KB, no terminal, no ... nothing .....

1 Like
3

One error in your first post, due to the forum code misinterpreting the text:

sudo add-apt-repository "deb Index of /ubuntu jammy main"

sudo add-apt-repository --remove "deb Index of /ubuntu jammy main"

... isn't showing up correctly. It shows up as:
sudo add-apt-repository "deb Index of /ubuntu 1 jammy main"
sudo add-apt-repository --remove "deb Index of /ubuntu 1 jammy main"
... and that borks /etc/apt/sources.list such that one cannot even do a sudo apt update.

The fix is to manually edit /etc/apt/sources.list to remove the errant entry, then do sudo apt update, then issue the proper commands:

sudo add-apt-repository "deb http://ca.archive.ubuntu.com/ubuntu jammy main"

sudo add-apt-repository --remove "deb http://ca/archive.ubuntu.com/ubuntu jammy main"

I wrapped the text above in preformatted text tags... otherwise the forum code did the same to that text as it did to yours.

I tried 6.0.19... SecureBoot borked it, it said the signature was invalid, so I disabled SecureBoot and tried to boot 6.0.19 again... it stalled mid-boot, just after mounting the last drive (/dev/sdg).

So I rebooted into the current kernel, uninstalled 6.0.19, and installed 6.0.9. It, too, stalled mid-boot, just after mounting the last drive.

[EDIT]
The same thing happens for any kernel later than the current one... apparently it's not loading ZFS.

But I will say, with SecureBoot disabled and libssl3 installed, boot is much snappier on the current kernel.

1 Like
5

Well, I got from the Forumbot now a little training on some things. Thank you for correcting the code .

ZFS I had not yet tested ... I figured it would work ootb. Turns out to be indeed a no show. So I tuned up Ubuntu 22.10 to see what happens, but I ran (run ) a little out of time of private small issues.

11

In the upgrades to a latest kernel development is going very fast.
We are at the point that kernel 6.1.12 is now patched AND is a release canditate for LTS .... so a version you can use for a long time.

However Kernel 6.2 is out as well, but STAY AWAY from this version if you have a Broadcom Wifi situation. Reason: the bug makes your hardware as 'unknown' to the system and comments as PCI-bridge error , unknown hardware found.
Lspci - k in the Terminal showed regardless the errror, indeed the Broadcom Wifi-card as ready to use. This was a Kernel bug !!!!!

Newest Kernel 6.2.1 is now up and running smooth and well. No Broadcom errors anymore. No freezes, no problems of any kind.

Note: Kernel 6.2.1 installs with a lot of Nvidia/ firmware - errors and missing links.
This kernel has now ALL Broadcom-drivers onboard: meaning no extra drivers to install, no special requirements for using this Brand in the system.
Of course, this kernel is a lot more than just Broadcom on board, and a big reason for using this version is : a LOT of RUST is used in the coding of kernel-parts.

13

Hi, I think secure boot is enabled on your computer, and if I remember well, installing kernel through mainline will not sign it. I wrote some script to sign kernel with OS installation generated certificate.
Tomorrow I will search for it and share here.

15

Hi, so 2 scripts, one to install mainline, one to sign latest kernel for secure boot:

1:

sudo add-apt-repository "deb http://ca.archive.ubuntu.com/ubuntu jammy main"

sudo apt update -y && sudo apt install -y libssl3

sudo add-apt-repository --remove "deb http://ca/archive.ubuntu.com/ubuntu jammy main"

sudo apt update -y

sudo add-apt-repository -y ppa:cappelikan/ppa

sudo apt update -y && sudo apt install -y mainline

2:

# we create alias ll
alias ll='ls -alFh'

# we use OS installation certificate to sign the new kernel for secure boot
MOKPATH=/var/lib/shim-signed/mok
MOKPRIV=$MOKPATH/MOKKERNEL.priv
MOKDER=$MOKPATH/MOKKERNEL.der
MOKPEM=$MOKPATH/MOKKERNEL.pem

# we find the last kernel version and files to sign
LASTKERNEL=$(ls -td /lib/modules/*/ | head -1) && LASTKERNEL=$(echo $LASTKERNEL| cut -d'/' -f 4)
KERNELFILE=/boot/vmlinuz-$LASTKERNEL
INITFILE=/boot/initrd.img-$LASTKERNEL

SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )

cd $SCRIPT_DIR

# we create openssl.cnf to sign files
function generation {

    \rm /tmp/openssl.cnf

    tee -a /tmp/openssl.cnf >/dev/null <<'EOF'
# This definition stops the following lines choking if HOME isn't
# defined.
HOME                    = .
RANDFILE                = /var/lib/shim-signed/mok/.rnd 
[ req ]
distinguished_name      = req_distinguished_name
x509_extensions         = v3
string_mask             = utf8only
prompt                  = no

[ req_distinguished_name ]
countryName             = FR
stateOrProvinceName     = PARIS
localityName            = PARIS
0.organizationName      = ZORIN
commonName              = Secure Boot Signing
emailAddress            = no@thankyou.com

[ v3 ]
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always,issuer
basicConstraints        = critical,CA:FALSE
extendedKeyUsage        = codeSigning,1.3.6.1.4.1.311.10.3.6
nsComment               = "OpenSSL Generated Certificate"
EOF

     openssl req -config /tmp/openssl.cnf \
        -new -x509 -newkey rsa:2048 \
        -nodes -days 36500 -outform DER \
        -keyout "/var/lib/shim-signed/mok/MOKKERNEL.priv" \
        -out "/var/lib/shim-signed/mok/MOKKERNEL.der"

}


# we sign files and create MOK.pem, because it doesn't exist
FILE=$MOKPRIV
if [ -f "$FILE" ]
then
    echo "$FILE exists."
else 
   sudo bash -c "$(declare -f generation); generation"
fi

FILE=$MOKPEM
if [ -f "$FILE" ]
then
    echo "$FILE exists."
else 
   sudo openssl x509 -in $MOKDER -inform DER -outform PEM -out $MOKPEM
    sudo mokutil --import $MOKDER
fi

sudo sbsign --key $MOKPRIV --cert $MOKPEM $KERNELFILE --output $KERNELFILE.signed

sudo cp $INITFILE $INITFILE.signed

FILE=/tmp/openssl.cnf
if [ -f "$FILE" ]
then
    sudo \rm /tmp/openssl.cnf
fi


sudo update-grub

SIGNED="/boot/"$(ls /boot|grep signed|grep vm)

echo "Your signed kernel file is: $SIGNED"
1 Like
16

Hi, I corrected names because MOK.xxx is installation generated (and from memory it can't sign kernels).

So this corrected script will create your own signing certificate dedicated to kernel signing, don't use it for anything else, it's only meant to sign kernels...

For now everything is OK, you can keep secure boot enabled (security in mind) and sign your fresh kernel.

Mokutil is the tool wich will load your cert in your bios, and it will ask for a password, use some easy one like ertyerty wich is not dependent on your keyboard layout azerty/qwerty...

Then reboot, bios will load blue screen mok manager, select enroll key, type your password you entered in my script, and tada, you can boot your kernel.signed

Capture d’écran du 2023-04-21 08-19-21

To the mainline dev, you can use my script, I don't care.

18

Hi, in my case, I have the famous essx8336 sound chip, and I need a newer kernel.
So with my script I can update my kernel and sign it for secure boot.
With last linux mint iso and my fresh bios update (thanks to dell), I can't boot, even by manually adding keys to secure boot. Cert problem. SO I disable secure boot, install, boot new os, update kernel from official updates (no mainline), resign the kernel and enable secure boot, no issue.

1 Like
19

When I read all your work, I confess that I am more a noob compared to this expertise and great work. Schooling just might be the answer for me, when I see what a Pro all can do. Really congratulations on this script, I never saw that kind of quality in my life before. It makes me even happy that the learning curve goes much more further.
Are there any, if any, books you would recommend for a experienced noob like me ?
You really blew me out of the water with this ...... 'job'- script.
If I understand a little bit of it, then 90% of the script I don't even understand at all.
Linux and Facebook does not learn much .... I understand now.
Congratulations on this fine piece of work !
--- Joris

1 Like