On Tue, 11 Jun 2019 00:46:20 -0400 Samuel Sieb <samuel@xxxxxxxx> wrote: > On 6/10/19 6:57 PM, stan via users wrote: > > Thanks. According to that, not only the kernel has to be signed, > > but all the modules that the kernel will load. Whew! That is a > > real hurdle, and a show stopper, unless there is a process to do > > that during build. I'll have to investigate. It is probably why my > > custom kernel wouldn't boot, as I didn't sign any modules, only the > > kernel vmlinuz. > > You also used mokutil to load the key in the firmware? You should > have received a prompt at boot to accept it. Yes, I did, and it accepted it. When I run pesign -S -i on the signed kernel it shows that it was signed, pesign -S -i vmlinuz-5.2.0-0.rc3.git3.1.20190609.fc31.x86_64 --------------------------------------------- certificate address is 0x7f254f09c4a8 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is Red Hat Test Certificate No signer email address. Signing time: Sun Jun 09, 2019 There were certs or crls included. --------------------------------------------- certificate address is 0x7f254f09cfa0 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is Organization signing key The signer's email address is e-mail address Signing time: Mon Jun 10, 2019 There were certs or crls included. Based on things I've discovered while building a new kernel, I think that the problem might be a missing ISO8859-1 module in the kernel. When I boot the custom kernel with secure boot turned off, it fails because it cannot load /boot/efi because it is missing that module. When I add it to the build, the boot succeeds. I wonder if the error message is misleading, and it is actually failing because it can't get to the information in the /boot/efi directory that it needs to check the signature. Will be checking that after I sign the new kernel that successfully boots. I'm thinking of creating new keys now that I am more familiar with the process, keys I specify rather than accepting defaults. Maybe writing a simple script for creating and signing. The other thing that is a positive, is that the kernel automatically signs all modules during build if configured to do so, which I have, so I don't have to worry about that. I'm using sha512, while the stock kernels use sha256, but that shouldn't make a difference, as long as the validation takes its cue from the kernel declaration, rather than being hard coded. _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
