Conversation

Jarkko Sakkinen

Great, I made it. Created my own MOK key in Fedora:

$ sudo certutil -d /etc/pki/pesign -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Secure Boot Signing Key                                      Pu,Pu,Pu

Steps:

openssl req -config ./MOK.cnf -new -x509 -newkey rsa:4096 -nodes \
            -days 36500 -outform DER -keyout "MOK.priv" -out "MOK.der"
sudo certutil -A -i MOK.der -n "Secure Boot Signing Key" -d /etc/pki/pesign/ -t "Pu,Pu,Pu"
sudo openssl pkcs12 -export -out MOK.p12 -inkey MOK.priv -in MOK.der
sudo pk12util -i MOK.p12 -d /etc/pki/pesign

And yeah obviously you also want to do:

sudo mokutil --import MOK.der

#fedora #linux

1
1
1
@kernellogger This how you do it. Then it is just matter using the name as reference in the spec for that attribute of which name I cannot recall ATM. In this case: ""Secure Boot Signing Key"
1
0
0

@kernellogger My certificate config as input was:

[ req ]
default_bits            = 4096
distinguished_name      = req_distinguished_name
x509_extensions         = v3
string_mask             = utf8only
prompt                  = no

[ req_distinguished_name ]
countryName             = FI
stateOrProvinceName     = Pirkanmaa
localityName            = Tampere
0.organizationName      = Siltakatu Solutions Oy
commonName              = Secure Boot Signing Key
emailAddress            = jarkko.sakkinen@siltakatu.com

[ v3 ]
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always,issuer
basicConstraints        = critical,CA:FALSE
extendedKeyUsage        = codeSigning,1.3.6.1.4.1.311.10.3.6
nsComment               = "OpenSSL Generated Certificate"
1
0
0

@kernellogger

Finally I wrote a small script:

#!/usr/bin/env bash

sudo pesign \
  --certificate 'Secure Boot Signing Key' \
  --in "$1" \
  --sign \
  --out "$1.signed"
sudo mv -v "$1"{.signed,}

Then I signed kernel-rt and:

$ sudo pesign --certificate 'Secure Boot Signing Key' --show-signature --in /boot/vmlinuz-6.12.0-0.rc7.20241113gtf1b785f4.459.vanilla.fc41.x86_64+rt
[sudo] password for jarkko: 
---------------------------------------------
certificate address is 0x7ffb85b05208
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer's common name is Red Hat Test Certificate
No signer email address.
Signing time: Wed Nov 13, 2024
There were certs or crls included.
---------------------------------------------
certificate address is 0x7ffb85b05900
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer's common name is Secure Boot Signing Key
The signer's email address is jarkko.sakkinen@siltakatu.com
Signing time: Fri Nov 15, 2024
There were certs or crls included.
---------------------------------------------
1
0
0

@kernellogger and it boots:

$ mokutil --sb-state
SecureBoot enabled

~ main ⇡
$ mokutil --list-enrolled
2bb010e24d fedoraca
f5476e8353 Secure Boot Signing Key
1
0
0

Jarkko Sakkinen

Edited 1 month ago
@kernellogger After doing this I learned about efikeygen but since this does the right thing with basic tools I'm not sure if it makes sense to complicate it with extra shenanigans :-) Not going to fix a working solution I guess.
One thing that would be nice if Fedora could sign installed Linux images with a custom MOK key. That would make all seamless. It's a better solution than doing it in build.
2
0
0

@jarkko @kernellogger If you're signing images with your own key, is there a reason to play with shim/MOK instead of replacing the PK and going from there?

1
0
0
@shenki @kernellogger mok is actually somewhat easy
0
0
0

@jarkko thx for sharing your steps! 👍

> One thing that would be nice

Fedora from what I've heard since version 41 has something to automatically sign nvidia's modules with a local key. I guess it would just need someone motivated enough to extend that solution to also sign locally installed non-fedora kernels

1
0
1
@kernellogger yeah, it's pretty trivial. also machine owner keys used for both system and user could in principle live inside TPM (which would kind of logically make sense as it identifies the machine).
0
0
0