Thanks for doing the work and posting the result / solution.
On Wed, 3 Mar 2021 19:19:14 +0100
Julian Sikorski <belegdol@xxxxxxxxx> wrote:
> I did actually manage to get this working, big thanks go to
> chenxiaolong for their guide [1]. I did mix-and-match some of the
> info from Fedora docs [2][3], mainly regarding how to create a
> certificate. It basically goes like:
>
> 1. Create certs with openssl
> 2. import them with certutil and pk12util as per [3]
> 3. add self to /etc/pesign/users
> 4. run sudo /usr/libexec/pesign/pesign-authorize
> 5. restart pesign service
> 6. unlock database (pesign-client -u)
> 7. add
> config_opts['plugin_conf']['bind_mount_opts']['dirs'].append(('/var/run/pesign',
> '/var/run/pesign')) to mock site-defaults.cfg
> 8. work around bugs
> 9. run mock adding -D 'pe_signing_token NSS Certificate DB' -D
> 'pe_signing_cert foo'
> 10. enroll the cert on the target machine
>
> It is worth noting that for some reason the pe_signing_cert nickname
> was not the one I specified using certutil -n parameter, but an
> amalgamation of O and CN values from the certificate. Check with
> certutil -L to be sure. Moreover, while bug 1508094 mentioned by
> chenxiaolong is fixed, there are two more bugs which need to be
> worked around for all of this to work [4][5].
> Finally, the rationale: given that the Renoir APU s0ix patches have
> just missed 5.12 merge window from the looks of it, I will likely
> have to keep building my own kernels for a while. Getting the rpm
> signed automatically saves me a lot of time. Disabling secure boot
> causes windows to ask for drivelock recovery password so it is not an
> option
>
> Best regards,
> Julian
>
> [1]
> https://gist.github.com/chenxiaolong/520914b191f17194a0acdc0e03122e63
> [2]
> https://docs.fedoraproject.org/en-US/fedora/f33/system-administrators-guide/kernel-module-driver-configuration/Working_with_Kernel_Modules/
> [3]
> https://docs.fedoraproject.org/en-US/quick-docs/kernel/build-custom-kernel/
> [4] https://bugzilla.redhat.com/show_bug.cgi?id=1880858
> [5] https://bugzilla.redhat.com/show_bug.cgi?id=1934719
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
