Hi there,
i am running fedora 35 and had to stick to kernel 5.15 - so i found xanmod-kernels and i am really happy.
But it would be great to have secure boot supported to gain more security.
So i tried to sign the bootloader, the kernel and the modules while running 5.15.27-xm1tt.0.fc35.x86_64 …
This is what i did:
I generated the needed cert & key (MOK.priv, MOK.der, MOK.pem) and imported the der-file via mokutil, rebooted an deployed the key … ( i signed a vboxdrv.ko while running an original fedora kernel and this worked).
Afterwards i ran this script:
###!/bin/sh
sign_kver=“5.15.27-xm1tt.0.fc35.x86_64”
readonly hash_algo=‘sha256’
readonly key=‘/root/module-signing/MOK.priv’
readonly x509=‘/root/module-signing/MOK.der’
readonly cert=‘/root/module-signing/MOK.pem’
The exact location of sign-file
might vary depending on your platform.
alias sign-file=“/usr/src/kernels/$(uname -r)/scripts/sign-file”
[ -z “${KBUILD_SIGN_PIN}” ] && read -p "Passphrase for ${key}: " KBUILD_SIGN_PIN
export KBUILD_SIGN_PIN
Sign shim64
sbsign --key $key --cert $cert /boot/efi/EFI/fedora/shimx64.efi --output /boot/efi/EFI/fedora/shimx64.efi
Sign kenrel
sbsign --key $key --cert $cert /boot/vmlinuz-$sign_kver --output /boot/vmlinuz-$sign_kver
Sign modules in /lib…
modules=$(find /lib/modules/$sign_kver/ -type f -name ‘*.ko’)
for i in $modules; do sign-file ${hash_algo} ${key} ${x509} $i; done
Sign modules in /usr/lib…
usrmodules=$(find /usr/lib/modules/$sign_kver/ -type f -name ‘*.ko’)
for i in $usrmodules; do sign-file ${hash_algo} ${key} ${x509} $i; done
Install kernel
kernel-install -v add ${sign_kver} /usr/lib/modules/${sign_kver}/vmlinuz
I checked the signature of (all checks were successful):
- the bootloader: pesign --show-signature --in=/boot/efi/EFI/fedora/shimx64.efi
Preformatted textcertificate address is 0x7fd2fc659a18
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer’s common name is Microsoft Windows UEFI Driver Publisher
No signer email address.
No signing time included.
There were certs or crls included.
certificate address is 0x7fd2fc65bb58
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer’s common name is t14
The signer’s email address is mail@XXXXX.XX
Signing time: Fri Mar 11, 2022
There were certs or crls included.
- the kernel: pesign --show-signature --in=/boot/vmlinuz-$(uname -r)
certificate address is 0x7f7c295a6a48
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer’s common name is t14
The signer’s email address is mail@XXXX.XX
Signing time: Fri Mar 11, 2022
There were certs or crls included.
- a module: modinfo -F signer /lib/modules/5.15.27-xm1tt.0.fc35.x86_64/kernel/net/ipv4/gre.ko
t14
So i rebooted, but i get this error message here:
[FAILED] Failed to start Load kernel modules
and afterwards the bootprocess stops …
When secure boot is disbaed in the bios settings, everything works like a charm …
Any hints???