Re: Fedora 38 and signed PCR binding

[Aleksandar Kostadinov <akostadi@xxxxxxxxxx>]

Hi again. I tried to boot from UKI to no avail.

First created a "db" certificate
> openssl req -newkey rsa:2048 -nodes -keyout db_arch.key -new -x509 -sha256 -days 3650 -subj "/CN=My DB cert/" -out db.pem
> openssl x509 -outform DER -in db.pem -out db.crt

Then uploaded it to secure boot trust VIA USB drive and the  UEFI seup.

Then created UKI:
>           /usr/lib/systemd/ukify \
>                 /lib/modules/6.4.12-200.fc38.x86_64/vmlinuz \
>                 /boot/initramfs-6.4.12-200.fc38.x86_64.img \
>                 --pcr-private-key=/etc/systemd/tpm2-pcr-private-key.pem \
>                 --pcr-public-key=/etc/systemd/tpm2-pcr-public-key.pem \
>                 --phases='enter-initrd' \
>                 --pcr-banks=sha1,sha256 \
>                 --secureboot-private-key=/etc/secure_boot/db.key \
>                 --secureboot-certificate=/etc/secure_boot/db.pem \
>                 --sign-kernel \
>                 --cmdline='ro rhgb'

Then added a boot entry:
> efibootmgr -c -d /dev/sda -p 1 -l /EFI/FEDORA/UKI/VMLINUZ612.EFI -L "Fedora UKI"

Unfortunately when trying to boot this I get:
> Bad kernel image: Load Error

It seems like trying to boot because momentarily I see a mouse cursor
and then terminal resets back and I see the error message. Actually I
see it twice before the grub bootloader entry gets picked up.

Any ideas what I might be doing wrong? This is on Fedora 38.

On Tue, Sep 5, 2023 at 1:20 PM Lennart Poettering
<lennart@xxxxxxxxxxxxxx> wrote:
>
> On Sa, 02.09.23 22:22, Aleksandar Kostadinov (akostadi@xxxxxxxxxx) wrote:
>
> > Looking at the PR [1] it looks like I need to do a lot of things at
> > each update manually. Is the thing in the comment the only thing I
> > need to do or are there other things as well?
>
> There's nowadays "ukify" that does all of this for you in one
> relatively easy step, it's our recommended approach to building UKIs
> these days.
>
> Lennart
>
> --
> Lennart Poettering, Berlin
>