W dniu 03.03.2021 o 17:01, stan via devel pisze:
On Wed, 3 Mar 2021 14:27:16 +0100
Julian Sikorski <belegdol@xxxxxxxxx> wrote:
Am 03.03.21 um 14:00 schrieb Dominik 'Rathann' Mierzejewski:
There seems to be some documentation on the wiki:
https://fedoraproject.org/wiki/BuildingUpstreamKernel#Sign_the_kernel_for_Secure_Boot
Regards,
Dominik
This explains how to sign a kernel build locally with make, not how
to make mock & rpbmbuild use a self-signed certificate for the RPM
package.
I build a custom kernel tuned for my system from Fedora src.rpms
locally using rpmbuild (older technique without mock). I then install it
using dnf -C and sign it using a method similar to the above (pesign
instead of sbsign). What do you gain by having the rpms signed?
My thought is, if a person has the authority to run dnf to install
local packages on the system, secure boot is meaningless as protection.
Is it that you want the build process to sign the kernel in the rpm
package with your local keys so you don't have to go through the
process of signing the kernel after it is installed? If that is what
you want, and you get it working, would you post the technique here.
Hi,
I did actually manage to get this working, big thanks go to chenxiaolong
for their guide [1]. I did mix-and-match some of the info from Fedora
docs [2][3], mainly regarding how to create a certificate. It basically
goes like:
1. Create certs with openssl
2. import them with certutil and pk12util as per [3]
3. add self to /etc/pesign/users
4. run sudo /usr/libexec/pesign/pesign-authorize
5. restart pesign service
6. unlock database (pesign-client -u)
7. add
config_opts['plugin_conf']['bind_mount_opts']['dirs'].append(('/var/run/pesign',
'/var/run/pesign')) to mock site-defaults.cfg
8. work around bugs
9. run mock adding -D 'pe_signing_token NSS Certificate DB' -D
'pe_signing_cert foo'
10. enroll the cert on the target machine
It is worth noting that for some reason the pe_signing_cert nickname was
not the one I specified using certutil -n parameter, but an amalgamation
of O and CN values from the certificate. Check with certutil -L to be sure.
Moreover, while bug 1508094 mentioned by chenxiaolong is fixed, there
are two more bugs which need to be worked around for all of this to work
[4][5].
Finally, the rationale: given that the Renoir APU s0ix patches have just
missed 5.12 merge window from the looks of it, I will likely have to
keep building my own kernels for a while. Getting the rpm signed
automatically saves me a lot of time. Disabling secure boot causes
windows to ask for drivelock recovery password so it is not an option
Best regards,
Julian
[1] https://gist.github.com/chenxiaolong/520914b191f17194a0acdc0e03122e63
[2]
https://docs.fedoraproject.org/en-US/fedora/f33/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/
[3]
https://docs.fedoraproject.org/en-US/quick-docs/kernel/build-custom-kernel/
[4] https://bugzilla.redhat.com/show_bug.cgi?id=1880858
[5] https://bugzilla.redhat.com/show_bug.cgi?id=1934719
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
