From 1d7d649d59983a20c8ff6b4c8706d3655e7887a3 Mon Sep 17 00:00:00 2001 From: Maximilian Luz Date: Mon, 2 Dec 2019 22:20:10 +0100 Subject: [PATCH] Remove SIGNING.md in favor of wiki entry --- SIGNING.md | 109 ----------------------------------------------------- 1 file changed, 109 deletions(-) delete mode 100644 SIGNING.md diff --git a/SIGNING.md b/SIGNING.md deleted file mode 100644 index 1dbe77ee4..000000000 --- a/SIGNING.md +++ /dev/null @@ -1,109 +0,0 @@ -# Signing a custom kernel for Secure Boot - -Instructions are for ubuntu, but should work similar for other distros, if they are using shim -and grub as bootloader. If your distro is not using shim (e.g. Linux Foundation Preloader), there -should be similar steps to complete the signing (e.g. HashTool instead of MokUtil for LF Preloader) -or you can install shim to use instead. The ubuntu package for shim is called `shim-signed`, but -please inform yourself on how to install it correctly, so you do not mess up your bootloader. - -Since the most recent GRUB2 update (2.02+dfsg1-5ubuntu1) in Ubuntu, GRUB2 does not load unsigned -kernels anymore, as long as Secure Boot is enabled. Users of Ubuntu 18.04 will be notified during -upgrade of the grub-efi package, that this kernel is not signed and the upgrade will abort. - -Thus you have three options to solve this problem: - -1. You sign the kernel yourself. -2. You use a signed, generic kernel of your distro. -3. You disable Secure Boot. - -Since option two and three are not really viable, these are the steps to sign the kernel yourself. - -Instructions adapted from [the Ubuntu Blog](https://blog.ubuntu.com/2017/08/11/how-to-sign-things-for-secure-boot). -Before following, please backup your /boot/EFI directory, so you can restore everything. Follow -these steps on your own risk. - -1. Create the config to create the signing key, save as mokconfig.cnf: -``` -# This definition stops the following lines failing if HOME isn't -# defined. -HOME = . -RANDFILE = $ENV::HOME/.rnd -[ req ] -distinguished_name = req_distinguished_name -x509_extensions = v3 -string_mask = utf8only -prompt = no - -[ req_distinguished_name ] -countryName = -stateOrProvinceName = -localityName = -0.organizationName = -commonName = Secure Boot Signing Key -emailAddress = - -[ v3 ] -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always,issuer -basicConstraints = critical,CA:FALSE -extendedKeyUsage = codeSigning,1.3.6.1.4.1.311.10.3.6 -nsComment = "OpenSSL Generated Certificate" -``` -Adjust all parts with to your details. - -2. Create the public and private key for signing the kernel: -``` -openssl req -config ./mokconfig.cnf \ - -new -x509 -newkey rsa:2048 \ - -nodes -days 36500 -outform DER \ - -keyout "MOK.priv" \ - -out "MOK.der" -``` - -3. Convert the key also to PEM format (mokutil needs DER, sbsign needs PEM): -``` -openssl x509 -in MOK.der -inform DER -outform PEM -out MOK.pem -``` - -4. Enroll the key to your shim installation: -``` -sudo mokutil --import MOK.der -``` -You will be asked for a password, you will just use it to confirm your key selection in the -next step, so choose any. - -5. Restart your system. You will encounter a blue screen of a tool called MOKManager. -Select "Enroll MOK" and then "View key". Make sure it is your key you created in step 2. -Afterwards continue the process and you must enter the password which you provided in -step 4. Continue with booting your system. - -6. Verify your key is enrolled via: -``` -sudo mokutil --list-enrolled -``` - -7. Sign your installed kernel (it should be at /boot/vmlinuz-[KERNEL-VERSION]-surface-linux-surface): -``` -sudo sbsign --key MOK.priv --cert MOK.pem /boot/vmlinuz-[KERNEL-VERSION]-surface-linux-surface --output /boot/vmlinuz-[KERNEL-VERSION]-surface-linux-surface.signed -``` - -8. Copy the initram of the unsigned kernel, so we also have an initram for the signed one. -``` -sudo cp /boot/initrd.img-[KERNEL-VERSION]-surface-linux-surface{,.signed} -``` - -9. Update your grub-config -``` -sudo update-grub -``` - -10. Reboot your system and select the signed kernel. If booting works, you can remove the unsigned kernel: -``` -sudo mv /boot/vmlinuz-[KERNEL-VERSION]-surface-linux-surface{.signed,} -sudo mv /boot/initrd.img-[KERNEL-VERSION]-surface-linux-surface{.signed,} -sudo update-grub -``` - -Now your system should run under a signed kernel and upgrading GRUB2 works again. If you want -to upgrade the custom kernel, you can sign the new version easily by following above steps -again from step seven on. Thus BACKUP the MOK-keys (MOK.der, MOK.pem, MOK.priv).