+ === Secure boot

+ 

+ Create a new Machine Owner Key (MOK) to import to UEFI:

+ 

+ [source,bash]

+ ----

+ openssl req -new -x509 -newkey rsa:2048 -keyout "key.pem" \

+         -outform DER -out "cert.der" -nodes -days 36500 \

+         -subj "/CN=<your name>/"

+ ----

+ 

+ Import the new certificate into your UEFI database:

+ 

+ NOTE: You will be asked to authorize the import at next boot.

+ 

+ [source,bash]

+ ----

+ mokutil --import "cert.der"

+ ----

+ 

+ Create a PKCS #12 key file:

+ 

+ [source,bash]

+ ----

+ openssl pkcs12 -export -out key.p12 -inkey key.pem -in cert.der

+ ----

+ 

+ You can then import the certificate and key into the nss database:

+ 

+ [source,bash]

+ ----

+ certutil -A -i cert.der -n "<MOK certificate nickname>" -d /etc/pki/pesign/ -t "Pu,Pu,Pu"

+ pk12util -i key.p12 -d /etc/pki/pesign

+ ----

+ 

+ Once the certificate and key are imported into your nss database, you can build the kernel

+ with the selected key by adding `%define pe_signing_cert <MOK certificate nickname>` to the

+ kernel.spec file or calling rpmbuild directly with the

+ `--define "pe_signing_cert <MOK certificate nickname>"` flag.

+ 

+ NOTE: While https://bugzilla.redhat.com/show_bug.cgi?id=1651020[bugzilla bug #1651020] is open

+ you might need to edit the line that starts with `+%pesign+` in the kernel spec file and substitute

+ it with `+pesign -c %{pe_signing_cert} --certdir /etc/pki/pesign/ -s -i $KernelImage -o vmlinuz.signed+`.

+