On Wed, 3 Feb 2021 15:42:54 -0500 Jonathan Billings billings@negate.org wrote:
On Wed, Feb 03, 2021 at 01:34:02PM -0700, stan via users wrote:
On Wed, 3 Feb 2021 14:59:16 -0500 Jonathan Billings billings@negate.org wrote:
The only alternative is to sign the kernel modules with your own certificate, and load that certificate into the firmware as a valid Secure Boot CA.
https://docs.fedoraproject.org/en-US/fedora/f33/system-administrators-guide/...
I see from that page a signing program called sign-file, but no mention of pesign. Is pesign deprecated, or is sign-file just an alternate way of signing?
Best I understand, pesign is for signing UEFI binaries. sign-file is for signing a kernel module.
Thanks, that explains why the results of the commands on the page you gave told me my system wasn't secure booting, and didn't mention my private signing key for UEFI that I use to sign the kernel.
$ mokutil --sb-state This system does't support Secure Boot
# keyctl list %:.builtin_trusted_keys 1 key in keyring: 439922868: ---lswrv 0 0 asymmetric: Fedora kernel signing key: 8ba4f0101defedadc01c847442f27f5ca183572c