Signing custom compiled kernel for Secure Boot
I ended up with
- building my own kernel with
make bindep-pkg
from vanilla TGZ from https://kernel.org - booting it with kexec
So no signing is needed: UEFI boots officially signed Ubuntu kernel, then my custom kernel is loaded from Linux userspace as cron @reboot
task.
The steps given here actually worked.