Hello,
I'm trying to create signed images with Systemd mkosi and need some general help understanding how to implement it.
If
this is not the correct forum for questions regarding mkosi then I
appolgize and humbly ask for directions to the correct forum :-)
My steps:
Host:
Ubuntu 20.04
mkosi 13
Target:
Ubuntu 22.04
1. Build image without SecureBoot.
2. Create custom PK,KEK and db.
3. convert keys and certs to EFI format (auth & esl)
4. Update UEFI Firmware
5. Sign my image with db.key and db.crt
6. active Secure boot
This image boots fine with Secure Boot.
Next I created another image without any SecureBoot options.
Signed bootloader with only db.key and db.crt and activated Secure Boot.
The image boots with Secure Boot.
Next I want to create a signed image:
Add to mkosi.default
SecureBoot=yes
SecureBootKey=/work/mkosi_fork/mkosi/test_keys/db.key
SecureBootCertificate=/work/mkosi_fork/mkosi/test_keys/db.crt
SecureBootKey=/work/mkosi_fork/mkosi/test_keys/db.key
SecureBootCertificate=/work/mkosi_fork/mkosi/test_keys/db.crt
Output from build showing correct binaries are getting signed:
When I boot the image with Secure Boot enabled I get this error:
Error loading \xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\5.15.0-53-generic\linux: Access denied
Failed to execute Ubuntu 22.04 LTS (/xxxxxxxxxxxxxxxx/5.15.0.53-generic/linux access denied
Which I don't understand.
I re-created a new image with the wrong key and got the expected "Wrong Key"
But my initial error suggests that the image is signed correctly (which I can verify that it is) but that there is something else it is trying to do.
I noticed that when I manually signed the binaries the key was added to /boot/efi/db but not when built with mkosi.
The sbsign section in __init__.py is the same as when I did it manually.
If anyone has any idea on how to proceed i would be very thankful.
Best Regards,
Willie