From c19f5e200fcf6983e009094c3709940b165eae97 Mon Sep 17 00:00:00 2001 From: Jan Niklas Richter Date: Thu, 4 Oct 2018 23:15:58 +0200 Subject: [PATCH] Fixes #261 and adds info on other linux distros --- SIGNING.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/SIGNING.md b/SIGNING.md index 9436285f5..99366eb0f 100644 --- a/SIGNING.md +++ b/SIGNING.md @@ -1,7 +1,10 @@ # Signing a custom kernel for Secure Boot -(Instructions are for ubuntu, but should work similar for other distros, if they are using shim -and grub as bootloader.) +Instructions are for ubuntu, but should work similar for other distros, if they are using shim +and grub as bootloader. If your distro is not using shim (e.g. Linux Foundation Preloader), there +should be similar steps to complete the signing (e.g. HashTool instead of MokUtil for LF Preloader) +or you can install shim to use instead. The ubuntu package for shim is called `shim-signed`, but +please inform yourself on how to install it correctly, so you do not mess up your bootloader. Since the most recent GRUB2 update (2.02+dfsg1-5ubuntu1) in Ubuntu, GRUB2 does not load unsigned kernels anymore, as long as Secure Boot is enabled. Users of Ubuntu 18.04 will be notified during @@ -13,9 +16,11 @@ Thus you have three options to solve this problem: 2. You use a signed, generic kernel of your distro. 3. You disable Secure Boot. -Since option two and three are not really viable, these are the steps to sign the kernel yourself: +Since option two and three are not really viable, these are the steps to sign the kernel yourself. Instructions adapted from [the Ubuntu Blog](https://blog.ubuntu.com/2017/08/11/how-to-sign-things-for-secure-boot). +Before following, please backup your /boot/EFI directory, so you can restore everything. Follow +these steps on your own risk. 1. Create the config to create the signing key, save as mokconfig.cnf: ```