| |
@@ -44,6 +44,8 @@
|
| |
sudo dnf install qt3-devel libXi-devel gcc-c++
|
| |
----
|
| |
|
| |
+ === Secure boot
|
| |
+
|
| |
Make sure you add the user doing the build to `/etc/pesign/users` and run the
|
| |
authorize user script:
|
| |
|
| |
@@ -52,6 +54,48 @@
|
| |
sudo /usr/libexec/pesign/pesign-authorize
|
| |
----
|
| |
|
| |
+ Create a new Machine Owner Key (MOK) to import to UEFI:
|
| |
+
|
| |
+ [source,bash]
|
| |
+ ----
|
| |
+ openssl req -new -x509 -newkey rsa:2048 -keyout "key.pem" \
|
| |
+ -outform DER -out "cert.der" -nodes -days 36500 \
|
| |
+ -subj "/CN=<your name>/"
|
| |
+ ----
|
| |
+
|
| |
+ Import the new certificate into your UEFI database:
|
| |
+
|
| |
+ NOTE: You will be asked to authorize the import at next boot.
|
| |
+
|
| |
+ [source,bash]
|
| |
+ ----
|
| |
+ mokutil --import "cert.der"
|
| |
+ ----
|
| |
+
|
| |
+ Create a PKCS #12 key file:
|
| |
+
|
| |
+ [source,bash]
|
| |
+ ----
|
| |
+ openssl pkcs12 -export -out key.p12 -inkey key.pem -in cert.der
|
| |
+ ----
|
| |
+
|
| |
+ You can then import the certificate and key into the nss database:
|
| |
+
|
| |
+ [source,bash]
|
| |
+ ----
|
| |
+ certutil -A -i cert.der -n "<MOK certificate nickname>" -d /etc/pki/pesign/ -t "Pu,Pu,Pu"
|
| |
+ pk12util -i key.p12 -d /etc/pki/pesign
|
| |
+ ----
|
| |
+
|
| |
+ Once the certificate and key are imported into your nss database, you can build the kernel
|
| |
+ with the selected key by adding `%define pe_signing_cert <MOK certificate nickname>` to the
|
| |
+ kernel.spec file or calling rpmbuild directly with the
|
| |
+ `--define "pe_signing_cert <MOK certificate nickname>"` flag.
|
| |
+
|
| |
+ NOTE: While https://bugzilla.redhat.com/show_bug.cgi?id=1651020[bugzilla bug #1651020] is open
|
| |
+ you might need to edit the line that starts with `+%pesign+` in the kernel spec file and substitute
|
| |
+ it with `+pesign -c %{pe_signing_cert} --certdir /etc/pki/pesign/ -s -i $KernelImage -o vmlinuz.signed+`.
|
| |
+
|
| |
It's also recommended that you install `ccache`, which can help speed up
|
| |
rebuilds:
|
| |
|
| |
The Machine Owner Key allows a user to build a custom kernel that is bootable using secure boot. This is the merge request for #91