mirror of
https://pagure.io/fedora-docs/quick-docs.git
synced 2024-11-24 13:32:42 +00:00
custom kernel: Add documentation for building a kernel signed with the user's Machine Owner Key
The Machine Owner Key allows a user to build a custom kernel that is bootable using secure boot.
This commit is contained in:
John Soros
parent
ea0dcd8155
commit
7bb68b84a2
1 changed files with 44 additions and 0 deletions
|
|
@ -44,6 +44,8 @@ If you want to use `make xconfig`, you'll need some additional packages:
|
|||
sudo dnf install qt3-devel libXi-devel gcc-c++
|
||||
----
|
||||
|
||||
=== Secure boot
|
||||
|
||||
Make sure you add the user doing the build to `/etc/pesign/users` and run the
|
||||
authorize user script:
|
||||
|
||||
|
|
@ -52,6 +54,48 @@ authorize user script:
|
|||
sudo /usr/libexec/pesign/pesign-authorize
|
||||
----
|
||||
|
||||
Create a new Machine Owner Key (MOK) to import to UEFI:
|
||||
|
||||
[source,bash]
|
||||
----
|
||||
openssl req -new -x509 -newkey rsa:2048 -keyout "key.pem" \
|
||||
-outform DER -out "cert.der" -nodes -days 36500 \
|
||||
-subj "/CN=<your name>/"
|
||||
----
|
||||
|
||||
Import the new certificate into your UEFI database:
|
||||
|
||||
NOTE: You will be asked to authorize the import at next boot.
|
||||
|
||||
[source,bash]
|
||||
----
|
||||
mokutil --import "cert.der"
|
||||
----
|
||||
|
||||
Create a PKCS #12 key file:
|
||||
|
||||
[source,bash]
|
||||
----
|
||||
openssl pkcs12 -export -out key.p12 -inkey key.pem -in cert.der
|
||||
----
|
||||
|
||||
You can then import the certificate and key into the nss database:
|
||||
|
||||
[source,bash]
|
||||
----
|
||||
certutil -A -i cert.der -n "<MOK certificate nickname>" -d /etc/pki/pesign/ -t "Pu,Pu,Pu"
|
||||
pk12util -i key.p12 -d /etc/pki/pesign
|
||||
----
|
||||
|
||||
Once the certificate and key are imported into your nss database, you can build the kernel
|
||||
with the selected key by adding `%define pe_signing_cert <MOK certificate nickname>` to the
|
||||
kernel.spec file or calling rpmbuild directly with the
|
||||
`--define "pe_signing_cert <MOK certificate nickname>"` flag.
|
||||
|
||||
NOTE: While https://bugzilla.redhat.com/show_bug.cgi?id=1651020[bugzilla bug #1651020] is open
|
||||
you might need to edit the line that starts with `+%pesign+` in the kernel spec file and substitute
|
||||
it with `+pesign -c %{pe_signing_cert} --certdir /etc/pki/pesign/ -s -i $KernelImage -o vmlinuz.signed+`.
|
||||
|
||||
It's also recommended that you install `ccache`, which can help speed up
|
||||
rebuilds:
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue