Difference between vmlinuz *-generic and *-generic.efi.signed
The kernel with a filename ending with .efi.signed
is signed by Canonical for use with Secure Boot. Most computers have firmware that does not trust Canonical's signature, though; it's only with the help of the Shim program (the shimx64.efi
binary on the ESP) that the signed kernel is trusted.
To elaborate a bit, the loading path for signed components of Ubuntu with Secure Boot enabled looks like this:
EFI -> Shim -> GRUB 2 -> Kernel -> Kernel modules
- The EFI trusts Shim because it's been signed by Microsoft, whose keys are embedded in the firmware.
- Shim patches the EFI's Secure Boot subsystem and includes Canonical's public key. Shim trusts GRUB 2 because it's been signed with Canonical's private key.
- GRUB 2 calls on the EFI's Secure Boot system (now patched by Shim) to verify the kernel, which is also signed with Canonical's private key.
- The kernel verifies that kernel modules are signed by Canonical's private key or some other key in the Secure Boot chain.
Prior to, IIRC, Ubuntu 15.10, Ubuntu's GRUB 2 did not enforce Secure Boot policy on the kernel, and the kernel did not enforce Secure Boot policy on kernel modules. That's been tightened recently, though. AFAIK, there are no plans to require ordinary system binaries to be signed.
I don't know offhand why there's an unsigned kernel file in Ubuntu. The signed file works fine even on systems that don't support Secure Boot (including pure-BIOS computers). Thus, the unsigned file is rather redundant, AFAIK.
Note that each of the components from Shim onward can be obtained in unsigned form, or their signatures stripped away. If you build Shim yourself, you can replace Canonical's public key with your own, or with any other public key you like. (Most major distributions have their own Shim binaries with their own keys embedded within.) Building Shim from source would be pointless unless you get Microsoft to sign it, which would cost $100 and take a lot of effort. If you need to sign things yourself, adding your key as a Machine Owner Key (MOK) is easier than rebuilding Shim and getting it signed by Microsoft. You can also tweak the key sets supported directly by the EFI, which can obviate the need for Shim. Thus, there's a lot you can change about how all these pieces fit together. See my main page on Secure Boot and my page on taking total control of Secure Boot for more details on how to manage Secure Boot.
The signed version is for UEFI secure boot. It has been signed using asymmetrical encryption. Meaning that the key to decrypt it is different than the one used to encrypt it. The bios only has a public key and can verify if the signature is correct (has not been tampered with). The private key to create such a signature is secret and therefor you can not create it yourself. That is why the bios trusts it and allows it to start.
For more info: https://wiki.ubuntu.com/SecurityTeam/SecureBoot