Great, I made it. Created my own MOK key in Fedora:
$ sudo certutil -d /etc/pki/pesign -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Secure Boot Signing Key Pu,Pu,Pu
Steps:
openssl req -config ./MOK.cnf -new -x509 -newkey rsa:4096 -nodes \
-days 36500 -outform DER -keyout "MOK.priv" -out "MOK.der"
sudo certutil -A -i MOK.der -n "Secure Boot Signing Key" -d /etc/pki/pesign/ -t "Pu,Pu,Pu"
sudo openssl pkcs12 -export -out MOK.p12 -inkey MOK.priv -in MOK.der
sudo pk12util -i MOK.p12 -d /etc/pki/pesign
And yeah obviously you also want to do:
sudo mokutil --import MOK.der
@kernellogger My certificate config as input was:
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
x509_extensions = v3
string_mask = utf8only
prompt = no
[ req_distinguished_name ]
countryName = FI
stateOrProvinceName = Pirkanmaa
localityName = Tampere
0.organizationName = Siltakatu Solutions Oy
commonName = Secure Boot Signing Key
emailAddress = jarkko.sakkinen@siltakatu.com
[ v3 ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical,CA:FALSE
extendedKeyUsage = codeSigning,1.3.6.1.4.1.311.10.3.6
nsComment = "OpenSSL Generated Certificate"
Finally I wrote a small script:
#!/usr/bin/env bash
sudo pesign \
--certificate 'Secure Boot Signing Key' \
--in "$1" \
--sign \
--out "$1.signed"
sudo mv -v "$1"{.signed,}
Then I signed kernel-rt and:
$ sudo pesign --certificate 'Secure Boot Signing Key' --show-signature --in /boot/vmlinuz-6.12.0-0.rc7.20241113gtf1b785f4.459.vanilla.fc41.x86_64+rt
[sudo] password for jarkko:
---------------------------------------------
certificate address is 0x7ffb85b05208
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer's common name is Red Hat Test Certificate
No signer email address.
Signing time: Wed Nov 13, 2024
There were certs or crls included.
---------------------------------------------
certificate address is 0x7ffb85b05900
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer's common name is Secure Boot Signing Key
The signer's email address is jarkko.sakkinen@siltakatu.com
Signing time: Fri Nov 15, 2024
There were certs or crls included.
---------------------------------------------
@kernellogger and it boots:
$ mokutil --sb-state
SecureBoot enabled
~ main ⇡
$ mokutil --list-enrolled
2bb010e24d fedoraca
f5476e8353 Secure Boot Signing Key
@jarkko @kernellogger If you're signing images with your own key, is there a reason to play with shim/MOK instead of replacing the PK and going from there?
@jarkko thx for sharing your steps! 👍
> One thing that would be nice
Fedora from what I've heard since version 41 has something to automatically sign nvidia's modules with a local key. I guess it would just need someone motivated enough to extend that solution to also sign locally installed non-fedora kernels