On Tue, 11 Jun 2019 00:46:20 -0400
Samuel Sieb <samuel(a)sieb.net> wrote:
On 6/10/19 6:57 PM, stan via users wrote:
> Thanks. According to that, not only the kernel has to be signed,
> but all the modules that the kernel will load. Whew! That is a
> real hurdle, and a show stopper, unless there is a process to do
> that during build. I'll have to investigate. It is probably why my
> custom kernel wouldn't boot, as I didn't sign any modules, only the
> kernel vmlinuz.
You also used mokutil to load the key in the firmware? You should
have received a prompt at boot to accept it.
Yes, I did, and it accepted it. When I run pesign -S -i on the signed
kernel it shows that it was signed,
pesign -S -i vmlinuz-5.2.0-0.rc3.git3.1.20190609.fc31.x86_64
---------------------------------------------
certificate address is 0x7f254f09c4a8
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer's common name is Red Hat Test Certificate
No signer email address.
Signing time: Sun Jun 09, 2019
There were certs or crls included.
---------------------------------------------
certificate address is 0x7f254f09cfa0
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer's common name is Organization signing key
The signer's email address is e-mail address
Signing time: Mon Jun 10, 2019
There were certs or crls included.
Based on things I've discovered while building a new kernel, I think
that the problem might be a missing ISO8859-1 module in the kernel.
When I boot the custom kernel with secure boot turned off, it fails
because it cannot load /boot/efi because it is missing that module.
When I add it to the build, the boot succeeds. I wonder if the error
message is misleading, and it is actually failing because it can't get
to the information in the /boot/efi directory that it needs to check
the signature. Will be checking that after I sign the new kernel that
successfully boots. I'm thinking of creating new keys now that I am
more familiar with the process, keys I specify rather than accepting
defaults. Maybe writing a simple script for creating and signing.
The other thing that is a positive, is that the kernel automatically
signs all modules during build if configured to do so, which I have, so
I don't have to worry about that. I'm using sha512, while the stock
kernels use sha256, but that shouldn't make a difference, as long as
the validation takes its cue from the kernel declaration, rather than
being hard coded.