Description of problem: I build custom kernels so I can use an rtl2832 as an entropy gathering device. When I create local keys and sign those kernels using pesign, they show as signed, but the boot process does not recognize them. mokutil shows the key to be in the mok database. Version-Release number of selected component (if applicable): Name : pesign Version : 0.112 Release : 22.fc28 Architecture: x86_64 How reproducible: Every time. Steps to Reproduce: 1. Build a custom kernel 2. Sign with local key 3. See below for key creation process Actual results: Secure boot rejects the kernel, though it boots fine with secure boot turned off. Expected results: Secure boot boots kernel. Additional info: This is the procedure used to create the local signing keys to sign a custom kernel for UEFI secure boot. It is scrounged from a document by a SUSE developer, the Fedora pesign man page, and other bits and pieces from around the web. Since it isn't working, it might be wrong, though the parts I can examine seems to be working. Perform while running in secure boot UEFI. If you are going to do this where security is important, you should do it on a USB key so you can remove it from the system when done. Here, I did it all in /root and in /etc/pki/pesign. The configuration file needed for openssl to create the keys. Create in the home directory for root. You can cut and paste the below. cat configuration_file.config [ req ] default_bits = 4096 distinguished_name = Fedora Installation prompt = no string_mask = utf8only x509_extensions = myexts [ Fedora Installation ] O = TipTop CN = kernel_signing_key emailAddress = oort_cloud [ myexts ] basicConstraints=critical,CA:FALSE keyUsage=digitalSignature subjectKeyIdentifier=hash authorityKeyIdentifier=keyid =Creating the public and private key. openssl req -x509 -new -newkey rsa:4096 -nodes -utf8 -sha256 -days 36500 -batch -config ./configuration_file.config -outform DER -out public_key.der -keyout private_key.priv =Telling mok that on next boot, use root password to import key into its =database. This is using root password for verification. Only works in secure =boot. mokutil -P --import public_key.der =At next secure boot a dialog will come up. If you select the wrong entry, you =will go down the rabbit hole, and will have to do the setup again as there =doesn't seem to be any recovery. ESC doesn't take you up a level. I think it =is the top entry you want. =Check that it has been added with mokutil -l =This only works when booted in UEFI secure boot. =Converting der to pem using openssl. openssl x509 -inform DER -in public_key.der -outform PEM -out public_key.pem =Convert the private key and pem certificate to a pk12 structure. openssl pkcs12 -export -inkey private_key.priv -in public_key.pem -name kernel_cert -out kernel_cert.p12 Enter Export Password: Verifying - Enter Export Password: =Import pkcs12 file into pesign db pk12util -i kernel_cert.p12 -d /etc/pki/pesign Enter password for PKCS12 file: pk12util: PKCS12 IMPORT SUCCESSFUL =Replace vmlinuz.signed and bzImage with the vmlinuz of the kernel being signed. =Sign the new kernel. Note that --force isn't implemented yet, so can't do in =place. pesign --certdir /etc/pki/pesign --certificate kernel_cert --in /boot/vmlinuz-5.2.0-0.rc4.git0.1.20190612.fc31.x86_64 --out /boot/vmlinuz-5.2.0-0.rc4.git0.1.20190612.fc31.x86_64.signed --sign # Check signing pesign -S -i vmlinuz-5.2.0-0.rc4.git0.1.20190612.fc31.x86_64.signed Replace the original kernel with the signed version. This is the custom kernel that fails to boot. pesign -S -i /boot/vmlinuz-5.2.0-0.rc4.git0.1.20190610.fc31.x86_64 --------------------------------------------- certificate address is 0x7f62ad9cf4a8 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is Red Hat Test Certificate No signer email address. Signing time: Mon Jun 10, 2019 There were certs or crls included. --------------------------------------------- certificate address is 0x7f62ad9cffa0 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is kernel_signing_key The signer's email address is oort_cloud Signing time: Tue Jun 11, 2019 There were certs or crls included. --------------------------------------------- This is a stock fedora kernel signed with the local key, and it *does* boot. $ pesign -S -i /boot/vmlinuz-5.2.0-0.rc3.git0.1.fc31.x86_64 --------------------------------------------- certificate address is 0x7f978a627988 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is Fedora Secure Boot Signer No signer email address. Signing time: Mon Jun 03, 2019 There were certs or crls included. --------------------------------------------- certificate address is 0x7f978a6282d0 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is kernel_signing_key The signer's email address is oort_cloud Signing time: Wed Jun 12, 2019 There were certs or crls included. ---------------------------------------------
Solved. I had thought that the public key for Red Hat must be included in the key ring, since the binary was signed with it. But, when I removed the Red Hat certificate from my binary, it booted just fine in UEFI secure boot. So, everything is working as designed, I just missed a step of the process. pesign --force -r -u 0 -i vmlinuz-5.2.0-0.rc4.git0.1.20190610.fc31.x86_64 -o vmlinuz-5.2.0-0.rc4.git0.1.20190610.fc31.x86_64.unsigned Closing as notabug.