On Wed, 3 Feb 2021 15:42:54 -0500 Jonathan Billings <billings@xxxxxxxxxx> wrote: > On Wed, Feb 03, 2021 at 01:34:02PM -0700, stan via users wrote: > > > > On Wed, 3 Feb 2021 14:59:16 -0500 > > Jonathan Billings <billings@xxxxxxxxxx> wrote: > > > > > The only alternative is to sign the kernel modules with your own > > > certificate, and load that certificate into the firmware as a > > > valid Secure Boot CA. > > > > > > https://docs.fedoraproject.org/en-US/fedora/f33/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/#sect-signing-kernel-modules-for-secure-boot > > > > > > > I see from that page a signing program called sign-file, but no > > mention of pesign. Is pesign deprecated, or is sign-file just an > > alternate way of signing? > > Best I understand, pesign is for signing UEFI binaries. sign-file is > for signing a kernel module. Thanks, that explains why the results of the commands on the page you gave told me my system wasn't secure booting, and didn't mention my private signing key for UEFI that I use to sign the kernel. $ mokutil --sb-state This system does't support Secure Boot # keyctl list %:.builtin_trusted_keys 1 key in keyring: 439922868: ---lswrv 0 0 asymmetric: Fedora kernel signing key: 8ba4f0101defedadc01c847442f27f5ca183572c _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
