mirror of
https://pagure.io/fedora-docs/quick-docs.git
synced 2024-11-28 14:56:35 +00:00
custom kernel: Add documentation for building a kernel signed with the user's Machine Owner Key
The Machine Owner Key allows a user to build a custom kernel that is bootable using secure boot.
This commit is contained in:
parent
ea0dcd8155
commit
7bb68b84a2
1 changed files with 44 additions and 0 deletions
|
@ -44,6 +44,8 @@ If you want to use `make xconfig`, you'll need some additional packages:
|
||||||
sudo dnf install qt3-devel libXi-devel gcc-c++
|
sudo dnf install qt3-devel libXi-devel gcc-c++
|
||||||
----
|
----
|
||||||
|
|
||||||
|
=== Secure boot
|
||||||
|
|
||||||
Make sure you add the user doing the build to `/etc/pesign/users` and run the
|
Make sure you add the user doing the build to `/etc/pesign/users` and run the
|
||||||
authorize user script:
|
authorize user script:
|
||||||
|
|
||||||
|
@ -52,6 +54,48 @@ authorize user script:
|
||||||
sudo /usr/libexec/pesign/pesign-authorize
|
sudo /usr/libexec/pesign/pesign-authorize
|
||||||
----
|
----
|
||||||
|
|
||||||
|
Create a new Machine Owner Key (MOK) to import to UEFI:
|
||||||
|
|
||||||
|
[source,bash]
|
||||||
|
----
|
||||||
|
openssl req -new -x509 -newkey rsa:2048 -keyout "key.pem" \
|
||||||
|
-outform DER -out "cert.der" -nodes -days 36500 \
|
||||||
|
-subj "/CN=<your name>/"
|
||||||
|
----
|
||||||
|
|
||||||
|
Import the new certificate into your UEFI database:
|
||||||
|
|
||||||
|
NOTE: You will be asked to authorize the import at next boot.
|
||||||
|
|
||||||
|
[source,bash]
|
||||||
|
----
|
||||||
|
mokutil --import "cert.der"
|
||||||
|
----
|
||||||
|
|
||||||
|
Create a PKCS #12 key file:
|
||||||
|
|
||||||
|
[source,bash]
|
||||||
|
----
|
||||||
|
openssl pkcs12 -export -out key.p12 -inkey key.pem -in cert.der
|
||||||
|
----
|
||||||
|
|
||||||
|
You can then import the certificate and key into the nss database:
|
||||||
|
|
||||||
|
[source,bash]
|
||||||
|
----
|
||||||
|
certutil -A -i cert.der -n "<MOK certificate nickname>" -d /etc/pki/pesign/ -t "Pu,Pu,Pu"
|
||||||
|
pk12util -i key.p12 -d /etc/pki/pesign
|
||||||
|
----
|
||||||
|
|
||||||
|
Once the certificate and key are imported into your nss database, you can build the kernel
|
||||||
|
with the selected key by adding `%define pe_signing_cert <MOK certificate nickname>` to the
|
||||||
|
kernel.spec file or calling rpmbuild directly with the
|
||||||
|
`--define "pe_signing_cert <MOK certificate nickname>"` flag.
|
||||||
|
|
||||||
|
NOTE: While https://bugzilla.redhat.com/show_bug.cgi?id=1651020[bugzilla bug #1651020] is open
|
||||||
|
you might need to edit the line that starts with `+%pesign+` in the kernel spec file and substitute
|
||||||
|
it with `+pesign -c %{pe_signing_cert} --certdir /etc/pki/pesign/ -s -i $KernelImage -o vmlinuz.signed+`.
|
||||||
|
|
||||||
It's also recommended that you install `ccache`, which can help speed up
|
It's also recommended that you install `ccache`, which can help speed up
|
||||||
rebuilds:
|
rebuilds:
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue