Re: Building custom kernels

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



W dniu 03.03.2021 o 17:01, stan via devel pisze:
On Wed, 3 Mar 2021 14:27:16 +0100
Julian Sikorski <belegdol@xxxxxxxxx> wrote:

Am 03.03.21 um 14:00 schrieb Dominik 'Rathann' Mierzejewski:

There seems to be some documentation on the wiki:
https://fedoraproject.org/wiki/BuildingUpstreamKernel#Sign_the_kernel_for_Secure_Boot

Regards,
Dominik
This explains how to sign a kernel build locally with make, not how
to make mock & rpbmbuild use a self-signed certificate for the RPM
package.

I build a custom kernel tuned for my system from Fedora src.rpms
locally using rpmbuild (older technique without mock). I then install it
using  dnf -C  and sign it using a method similar to the above (pesign
instead of sbsign). What do you gain by having the rpms signed?
My thought is, if a person has the authority to run dnf to install
local packages on the system, secure boot is meaningless as protection.
Is it that you want the build process to sign the kernel in the rpm
package with your local keys so you don't have to go through the
process of signing the kernel after it is installed?  If that is what
you want, and you get it working, would you post the technique here.

Hi,

I did actually manage to get this working, big thanks go to chenxiaolong for their guide [1]. I did mix-and-match some of the info from Fedora docs [2][3], mainly regarding how to create a certificate. It basically goes like:

1. Create certs with openssl
2. import them with certutil and pk12util as per [3]
3. add self to /etc/pesign/users
4. run sudo /usr/libexec/pesign/pesign-authorize
5. restart pesign service
6. unlock database (pesign-client -u)
7. add config_opts['plugin_conf']['bind_mount_opts']['dirs'].append(('/var/run/pesign', '/var/run/pesign')) to mock site-defaults.cfg
8. work around bugs
9. run mock adding -D 'pe_signing_token NSS Certificate DB' -D 'pe_signing_cert foo'
10. enroll the cert on the target machine

It is worth noting that for some reason the pe_signing_cert nickname was not the one I specified using certutil -n parameter, but an amalgamation of O and CN values from the certificate. Check with certutil -L to be sure. Moreover, while bug 1508094 mentioned by chenxiaolong is fixed, there are two more bugs which need to be worked around for all of this to work [4][5]. Finally, the rationale: given that the Renoir APU s0ix patches have just missed 5.12 merge window from the looks of it, I will likely have to keep building my own kernels for a while. Getting the rpm signed automatically saves me a lot of time. Disabling secure boot causes windows to ask for drivelock recovery password so it is not an option

Best regards,
Julian

[1] https://gist.github.com/chenxiaolong/520914b191f17194a0acdc0e03122e63
[2] https://docs.fedoraproject.org/en-US/fedora/f33/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/ [3] https://docs.fedoraproject.org/en-US/quick-docs/kernel/build-custom-kernel/
[4] https://bugzilla.redhat.com/show_bug.cgi?id=1880858
[5] https://bugzilla.redhat.com/show_bug.cgi?id=1934719
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux