docs: Tier-1 Ubuntu (noble) support #9

Merged

zach merged 2 commits from feat/ubuntu-tier1 into main

2026-06-06 05:36:39 +00:00

zach commented

2026-05-30 08:49:29 +00:00

Owner

Tier-1 Ubuntu (noble) support: the kernel binary is distro-agnostic for a given arch, and the project signing cert is a plain code-signing cert with no "module-signing only" OID, so the same trixie-built .debs install and boot on Ubuntu 24.04. We publish the same build to a noble apt suite rather than maintaining a separate Ubuntu build.

Changes (docs-only)

docs/users/install-ubuntu.md (new): the Ubuntu apt source (the noble suite under the same /debian registry path), install, MOK pointer, and the Debian differences (suite name; DKMS).
docs/users/secure-boot.md: the MOK flow is identical on Ubuntu, and Ubuntu's shim (≥15.4) accepts our OID-free cert for boot (the OID is how it refuses DKMS-only keys); generalized the "bad shim signature" troubleshooting wording.
docs/operators/per-distro-build.md: a Tier-1 recipe (dispatch publish.yml with distribution=noble; the registry creates the suite on first upload) + the boot-test prerequisite. Also fixed two stale lines (single job container; the seed may lag the kernel version, with the drift guard covering inherited symbols).
docs/users/install.md: points Ubuntu users to install-ubuntu.md.

Operator actions to actually ship Ubuntu

Dispatch publish.yml for a release with distribution=noble (mirrors the same .debs to the noble suite).
Boot-test on real noble hardware with Secure Boot enabled before announcing — the analysis says it works, but it hasn't been validated on Ubuntu the way it has on Debian.

Tier 2 (a distinct Ubuntu build-matrix entry with distro-matched build-deps and a separate provenance manifest) is documented as the follow-on; the kernel binary is identical either way.

🤖 Generated with Claude Code

Tier-1 Ubuntu (noble) support: the kernel binary is distro-agnostic for a given arch, and the project signing cert is a plain code-signing cert with **no "module-signing only" OID**, so the same trixie-built `.deb`s install and boot on Ubuntu 24.04. We publish the same build to a `noble` apt suite rather than maintaining a separate Ubuntu build. ## Changes (docs-only) - **`docs/users/install-ubuntu.md`** (new): the Ubuntu apt source (the `noble` suite under the same `/debian` registry path), install, MOK pointer, and the Debian differences (suite name; DKMS). - **`docs/users/secure-boot.md`**: the MOK flow is identical on Ubuntu, and Ubuntu's shim (≥15.4) accepts our OID-free cert for boot (the OID is how it refuses DKMS-only keys); generalized the "bad shim signature" troubleshooting wording. - **`docs/operators/per-distro-build.md`**: a Tier-1 recipe (dispatch `publish.yml` with `distribution=noble`; the registry creates the suite on first upload) + the boot-test prerequisite. Also fixed two stale lines (single job container; the seed may lag the kernel version, with the drift guard covering inherited symbols). - **`docs/users/install.md`**: points Ubuntu users to `install-ubuntu.md`. ## Operator actions to actually ship Ubuntu 1. Dispatch `publish.yml` for a release with `distribution=noble` (mirrors the same `.deb`s to the noble suite). 2. **Boot-test on real noble hardware with Secure Boot enabled** before announcing — the analysis says it works, but it hasn't been validated on Ubuntu the way it has on Debian. Tier 2 (a distinct Ubuntu build-matrix entry with distro-matched build-deps and a separate provenance manifest) is documented as the follow-on; the kernel binary is identical either way. 🤖 Generated with [Claude Code](https://claude.com/claude-code)

zach added 1 commit

2026-05-30 08:49:29 +00:00

docs(ubuntu): Tier-1 Ubuntu (noble) support — same packages, new suite

validate / shellcheck (pull_request) Successful in 13s

Details

validate / yamllint (pull_request) Successful in 13s

Details

validate / pycompile (pull_request) Successful in 4s

Details

validate / intent-matches-policy (pull_request) Successful in 4s

Details

validate / no-placeholder-digests (pull_request) Has been skipped

Details

c0881963eb

The kernel binary is distro-agnostic for a given arch, and the signing
cert is a plain code-signing cert with no "module-signing only" OID, so the
trixie-built .debs install and boot on Ubuntu 24.04 (noble). Ubuntu support
is Tier 1: publish the same build to a `noble` apt suite (the publish
tooling already takes --distribution), no second build or container.

- docs/users/install-ubuntu.md (new): Ubuntu apt source (the noble suite
  under the same /debian path), install, MOK pointer, Debian differences.
- docs/users/secure-boot.md: note the MOK flow is identical on Ubuntu and
  that Ubuntu's shim accepts our OID-free cert for boot; generalize the
  "bad shim signature" troubleshooting wording (the pure-MOK error differs).
- docs/operators/per-distro-build.md: add the Tier-1 recipe (dispatch
  publish.yml with distribution=noble; boot-test prerequisite) and fix two
  stale lines (single job container; the seed may lag the kernel version,
  with the drift guard covering inherited symbols).
- docs/users/install.md: point Ubuntu users to install-ubuntu.md.

Docs-only. Operator actions to actually ship Ubuntu: dispatch publish.yml
with distribution=noble for a release, and boot-test on real noble hardware
with Secure Boot enabled before announcing.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

zach added 1 commit

2026-06-06 05:35:12 +00:00

Merge branch 'main' into feat/ubuntu-tier1

validate / shellcheck (pull_request) Successful in 15s

Details

validate / yamllint (pull_request) Successful in 12s

Details

validate / pycompile (pull_request) Successful in 4s

Details

validate / intent-matches-policy (pull_request) Successful in 4s

Details

validate / no-placeholder-digests (pull_request) Has been skipped