há 5 anos atrás · 1d7d649d59
--- a/SIGNING.md
+++ b/SIGNING.md
@@ -1,109 +0,0 @@
 
				-# Signing a custom kernel for Secure Boot
			
 
				-
			
 
				-Instructions are for ubuntu, but should work similar for other distros, if they are using shim
			
 
				-and grub as bootloader. If your distro is not using shim (e.g. Linux Foundation Preloader), there
			
 
				-should be similar steps to complete the signing (e.g. HashTool instead of MokUtil for LF Preloader)
			
 
				-or you can install shim to use instead. The ubuntu package for shim is called `shim-signed`, but
			
 
				-please inform yourself on how to install it correctly, so you do not mess up your bootloader.
			
 
				-
			
 
				-Since the most recent GRUB2 update (2.02+dfsg1-5ubuntu1) in Ubuntu, GRUB2 does not load unsigned
			
 
				-kernels anymore, as long as Secure Boot is enabled. Users of Ubuntu 18.04 will be notified during
			
 
				-upgrade of the grub-efi package, that this kernel is not signed and the upgrade will abort.
			
 
				-
			
 
				-Thus you have three options to solve this problem:
			
 
				-
			
 
				-1. You sign the kernel yourself.
			
 
				-2. You use a signed, generic kernel of your distro.
			
 
				-3. You disable Secure Boot.
			
 
				-
			
 
				-Since option two and three are not really viable, these are the steps to sign the kernel yourself.
			
 
				-
			
 
				-Instructions adapted from [the Ubuntu Blog](https://blog.ubuntu.com/2017/08/11/how-to-sign-things-for-secure-boot).
			
 
				-Before following, please backup your /boot/EFI directory, so you can restore everything. Follow
			
 
				-these steps on your own risk.
			
 
				-
			
 
				-1. Create the config to create the signing key, save as mokconfig.cnf:
			
 
				-```
			
 
				-# This definition stops the following lines failing if HOME isn't
			
 
				-# defined.
			
 
				-HOME                    = .
			
 
				-RANDFILE                = $ENV::HOME/.rnd 
			
 
				-[ req ]
			
 
				-distinguished_name      = req_distinguished_name
			
 
				-x509_extensions         = v3
			
 
				-string_mask             = utf8only
			
 
				-prompt                  = no
			
 
				-
			
 
				-[ req_distinguished_name ]
			
 
				-countryName             = <YOURcountrycode>
			
 
				-stateOrProvinceName     = <YOURstate>
			
 
				-localityName            = <YOURcity>
			
 
				-0.organizationName      = <YOURorganization>
			
 
				-commonName              = Secure Boot Signing Key
			
 
				-emailAddress            = <YOURemail>
			
 
				-
			
 
				-[ v3 ]
			
 
				-subjectKeyIdentifier    = hash
			
 
				-authorityKeyIdentifier  = keyid:always,issuer
			
 
				-basicConstraints        = critical,CA:FALSE
			
 
				-extendedKeyUsage        = codeSigning,1.3.6.1.4.1.311.10.3.6
			
 
				-nsComment               = "OpenSSL Generated Certificate"
			
 
				-```
			
 
				-Adjust all parts with <YOUR*> to your details.
			
 
				-
			
 
				-2. Create the public and private key for signing the kernel:
			
 
				-```
			
 
				-openssl req -config ./mokconfig.cnf \
			
 
				-        -new -x509 -newkey rsa:2048 \
			
 
				-        -nodes -days 36500 -outform DER \
			
 
				-        -keyout "MOK.priv" \
			
 
				-        -out "MOK.der"
			
 
				-```
			
 
				-
			
 
				-3. Convert the key also to PEM format (mokutil needs DER, sbsign needs PEM):
			
 
				-```
			
 
				-openssl x509 -in MOK.der -inform DER -outform PEM -out MOK.pem
			
 
				-```
			
 
				-
			
 
				-4. Enroll the key to your shim installation:
			
 
				-```
			
 
				-sudo mokutil --import MOK.der
			
 
				-```
			
 
				-You will be asked for a password, you will just use it to confirm your key selection in the
			
 
				-next step, so choose any.
			
 
				-
			
 
				-5. Restart your system. You will encounter a blue screen of a tool called MOKManager.
			
 
				-Select "Enroll MOK" and then "View key". Make sure it is your key you created in step 2.
			
 
				-Afterwards continue the process and you must enter the password which you provided in
			
 
				-step 4. Continue with booting your system.
			
 
				-
			
 
				-6. Verify your key is enrolled via:
			
 
				-```
			
 
				-sudo mokutil --list-enrolled
			
 
				-```
			
 
				-
			
 
				-7. Sign your installed kernel (it should be at /boot/vmlinuz-[KERNEL-VERSION]-surface-linux-surface):
			
 
				-```
			
 
				-sudo sbsign --key MOK.priv --cert MOK.pem /boot/vmlinuz-[KERNEL-VERSION]-surface-linux-surface --output /boot/vmlinuz-[KERNEL-VERSION]-surface-linux-surface.signed
			
 
				-```
			
 
				-
			
 
				-8. Copy the initram of the unsigned kernel, so we also have an initram for the signed one.
			
 
				-```
			
 
				-sudo cp /boot/initrd.img-[KERNEL-VERSION]-surface-linux-surface{,.signed}
			
 
				-```
			
 
				-
			
 
				-9. Update your grub-config
			
 
				-```
			
 
				-sudo update-grub
			
 
				-```
			
 
				-
			
 
				-10. Reboot your system and select the signed kernel. If booting works, you can remove the unsigned kernel:
			
 
				-```
			
 
				-sudo mv /boot/vmlinuz-[KERNEL-VERSION]-surface-linux-surface{.signed,}
			
 
				-sudo mv /boot/initrd.img-[KERNEL-VERSION]-surface-linux-surface{.signed,}
			
 
				-sudo update-grub
			
 
				-```
			
 
				-
			
 
				-Now your system should run under a signed kernel and upgrading GRUB2 works again. If you want
			
 
				-to upgrade the custom kernel, you can sign the new version easily by following above steps
			
 
				-again from step seven on. Thus BACKUP the MOK-keys (MOK.der, MOK.pem, MOK.priv).