Do not sign the kernel

Malicious boot loader specification entries could be used to make a
signed kernel load arbitrary unprotected initrds. Since we do not want
this, do not sign the kernel. This way, the only things allowed to boot
are our UKI stubs, which do verify the initrd.

rust/tool/src/install.rs

@@ -157,8 +157,8 @@ impl Installer {
             append_initrd_secrets(initrd_secrets_script, &initrd_location)?;
         }
 
-        // The initrd doesn't need to be signed. The stub has its hash embedded and will refuse
+        // The initrd and kernel don't need to be signed.
-        // loading it when the hash mismatches.
+        // The stub has their hashes embedded and will refuse loading on hash mismatches.
         //
         // The initrd and kernel are not forcibly installed because they are not built
         // reproducibly. Forcibly installing (i.e. overwriting) them is likely to break older
@@ -166,7 +166,9 @@ impl Installer {
         // will not match anymore.
         install(&initrd_location, &esp_gen_paths.initrd)
             .context("Failed to install initrd to ESP")?;
-        install_signed(&self.key_pair, &bootspec.kernel, &esp_gen_paths.kernel)
+        // Do not sign the kernel.
+        // Boot loader specification could be used to make a signed kernel load an unprotected initrd.
+        install(&bootspec.kernel, &esp_gen_paths.kernel)
             .context("Failed to install kernel to ESP.")?;
 
         let lanzaboote_image = pe::lanzaboote_image(