|
@@ -1,109 +0,0 @@
|
|
|
-# Signing a custom kernel for Secure Boot
|
|
|
-
|
|
|
-Instructions are for ubuntu, but should work similar for other distros, if they are using shim
|
|
|
-and grub as bootloader. If your distro is not using shim (e.g. Linux Foundation Preloader), there
|
|
|
-should be similar steps to complete the signing (e.g. HashTool instead of MokUtil for LF Preloader)
|
|
|
-or you can install shim to use instead. The ubuntu package for shim is called `shim-signed`, but
|
|
|
-please inform yourself on how to install it correctly, so you do not mess up your bootloader.
|
|
|
-
|
|
|
-Since the most recent GRUB2 update (2.02+dfsg1-5ubuntu1) in Ubuntu, GRUB2 does not load unsigned
|
|
|
-kernels anymore, as long as Secure Boot is enabled. Users of Ubuntu 18.04 will be notified during
|
|
|
-upgrade of the grub-efi package, that this kernel is not signed and the upgrade will abort.
|
|
|
-
|
|
|
-Thus you have three options to solve this problem:
|
|
|
-
|
|
|
-1. You sign the kernel yourself.
|
|
|
-2. You use a signed, generic kernel of your distro.
|
|
|
-3. You disable Secure Boot.
|
|
|
-
|
|
|
-Since option two and three are not really viable, these are the steps to sign the kernel yourself.
|
|
|
-
|
|
|
-Instructions adapted from [the Ubuntu Blog](https://blog.ubuntu.com/2017/08/11/how-to-sign-things-for-secure-boot).
|
|
|
-Before following, please backup your /boot/EFI directory, so you can restore everything. Follow
|
|
|
-these steps on your own risk.
|
|
|
-
|
|
|
-1. Create the config to create the signing key, save as mokconfig.cnf:
|
|
|
-```
|
|
|
-# This definition stops the following lines failing if HOME isn't
|
|
|
-# defined.
|
|
|
-HOME = .
|
|
|
-RANDFILE = $ENV::HOME/.rnd
|
|
|
-[ req ]
|
|
|
-distinguished_name = req_distinguished_name
|
|
|
-x509_extensions = v3
|
|
|
-string_mask = utf8only
|
|
|
-prompt = no
|
|
|
-
|
|
|
-[ req_distinguished_name ]
|
|
|
-countryName = <YOURcountrycode>
|
|
|
-stateOrProvinceName = <YOURstate>
|
|
|
-localityName = <YOURcity>
|
|
|
-0.organizationName = <YOURorganization>
|
|
|
-commonName = Secure Boot Signing Key
|
|
|
-emailAddress = <YOURemail>
|
|
|
-
|
|
|
-[ v3 ]
|
|
|
-subjectKeyIdentifier = hash
|
|
|
-authorityKeyIdentifier = keyid:always,issuer
|
|
|
-basicConstraints = critical,CA:FALSE
|
|
|
-extendedKeyUsage = codeSigning,1.3.6.1.4.1.311.10.3.6
|
|
|
-nsComment = "OpenSSL Generated Certificate"
|
|
|
-```
|
|
|
-Adjust all parts with <YOUR*> to your details.
|
|
|
-
|
|
|
-2. Create the public and private key for signing the kernel:
|
|
|
-```
|
|
|
-openssl req -config ./mokconfig.cnf \
|
|
|
- -new -x509 -newkey rsa:2048 \
|
|
|
- -nodes -days 36500 -outform DER \
|
|
|
- -keyout "MOK.priv" \
|
|
|
- -out "MOK.der"
|
|
|
-```
|
|
|
-
|
|
|
-3. Convert the key also to PEM format (mokutil needs DER, sbsign needs PEM):
|
|
|
-```
|
|
|
-openssl x509 -in MOK.der -inform DER -outform PEM -out MOK.pem
|
|
|
-```
|
|
|
-
|
|
|
-4. Enroll the key to your shim installation:
|
|
|
-```
|
|
|
-sudo mokutil --import MOK.der
|
|
|
-```
|
|
|
-You will be asked for a password, you will just use it to confirm your key selection in the
|
|
|
-next step, so choose any.
|
|
|
-
|
|
|
-5. Restart your system. You will encounter a blue screen of a tool called MOKManager.
|
|
|
-Select "Enroll MOK" and then "View key". Make sure it is your key you created in step 2.
|
|
|
-Afterwards continue the process and you must enter the password which you provided in
|
|
|
-step 4. Continue with booting your system.
|
|
|
-
|
|
|
-6. Verify your key is enrolled via:
|
|
|
-```
|
|
|
-sudo mokutil --list-enrolled
|
|
|
-```
|
|
|
-
|
|
|
-7. Sign your installed kernel (it should be at /boot/vmlinuz-[KERNEL-VERSION]-surface-linux-surface):
|
|
|
-```
|
|
|
-sudo sbsign --key MOK.priv --cert MOK.pem /boot/vmlinuz-[KERNEL-VERSION]-surface-linux-surface --output /boot/vmlinuz-[KERNEL-VERSION]-surface-linux-surface.signed
|
|
|
-```
|
|
|
-
|
|
|
-8. Copy the initram of the unsigned kernel, so we also have an initram for the signed one.
|
|
|
-```
|
|
|
-sudo cp /boot/initrd.img-[KERNEL-VERSION]-surface-linux-surface{,.signed}
|
|
|
-```
|
|
|
-
|
|
|
-9. Update your grub-config
|
|
|
-```
|
|
|
-sudo update-grub
|
|
|
-```
|
|
|
-
|
|
|
-10. Reboot your system and select the signed kernel. If booting works, you can remove the unsigned kernel:
|
|
|
-```
|
|
|
-sudo mv /boot/vmlinuz-[KERNEL-VERSION]-surface-linux-surface{.signed,}
|
|
|
-sudo mv /boot/initrd.img-[KERNEL-VERSION]-surface-linux-surface{.signed,}
|
|
|
-sudo update-grub
|
|
|
-```
|
|
|
-
|
|
|
-Now your system should run under a signed kernel and upgrading GRUB2 works again. If you want
|
|
|
-to upgrade the custom kernel, you can sign the new version easily by following above steps
|
|
|
-again from step seven on. Thus BACKUP the MOK-keys (MOK.der, MOK.pem, MOK.priv).
|