| Both sides previous revision Previous revision Next revision | Previous revision |
| uefi_secure_boot [2017/11/08 11:05] – brot | uefi_secure_boot [2018/03/05 13:49] (current) – external edit 127.0.0.1 |
|---|
| |
| #create new keys - save the passwords somewhere save, and create a backup of the keys. | #create new keys - save the passwords somewhere save, and create a backup of the keys. |
| openssl req -new -x509 -newkey rsa:2048 -subj "/CN=brot PK/" -keyout PK.key -out PK.crt -days 3650 -nodes -sha256 | openssl req -new -x509 -newkey rsa:2048 -subj "/CN=brot PK/" -keyout PK.key -out PK.crt -days 3650 -sha256 |
| openssl req -new -x509 -newkey rsa:2048 -subj "/CN=brot KEK/" -keyout KEK.key -out KEK.crt -days 3650 -nodes -sha256 | openssl req -new -x509 -newkey rsa:2048 -subj "/CN=brot KEK/" -keyout KEK.key -out KEK.crt -days 3650 -sha256 |
| openssl req -new -x509 -newkey rsa:2048 -subj "/CN=brot DB/" -keyout db.key -out db.crt -days 3650 -nodes -sha256 | openssl req -new -x509 -newkey rsa:2048 -subj "/CN=brot DB/" -keyout db.key -out db.crt -days 3650 -sha256 |
| |
| #get current state of the key-databases | #get current state of the key-databases |
| === Creating new kernel === | === Creating new kernel === |
| Now, with Secure Boot working, we want a faster method of creating new kernels and signing those. I use the following command line to generate new kernels. | Now, with Secure Boot working, we want a faster method of creating new kernels and signing those. I use the following command line to generate new kernels. |
| | |
| |
| <code bash> | <code bash> |
| export KVER=`make kernelversion` && make -j6 && make modules_install && dracut ./initramfs.img --force --no-compress -H $KVER --omit "i18n" --add-drivers i915 && cp /proc/cmdline ./cmdline.txt && objcopy --add-section .osrel=/etc/os-release --change-section-vma .osrel=0x20000 --add-section .cmdline="./cmdline.txt" --change-section-vma .cmdline=0x30000 --add-section .linux="./arch/x86/boot/bzImage" --change-section-vma .linux=0x40000 --add-section .initrd="./initramfs.img" --change-section-vma .initrd=0x3000000 /usr/lib/systemd/boot/efi/linuxx64.efi.stub kernel-$KVER.efi && sbsign --key /root/efi-keys-try1/db.key --cert /root/efi-keys-try1/db.crt --output ./kernel-$KVER-signed.efi ./kernel-$KVER.efi && mount /boot/efi && cp ./kernel-$KVER-signed.efi /boot/efi/ | export KVER=`make kernelversion` && make -j6 && make modules_install && dracut ./initramfs.img --force --no-compress -H $KVER --omit "i18n" --add-drivers i915 && \ |
| | cp /proc/cmdline ./cmdline.txt && objcopy --add-section .osrel=/etc/os-release --change-section-vma .osrel=0x20000 --add-section .cmdline="./cmdline.txt" \ |
| | --change-section-vma .cmdline=0x30000 --add-section .linux="./arch/x86/boot/bzImage" --change-section-vma .linux=0x40000 --add-section .initrd="./initramfs.img" \ |
| | --change-section-vma .initrd=0x3000000 /usr/lib/systemd/boot/efi/linuxx64.efi.stub kernel-$KVER.efi && \ |
| | sbsign --key /root/efi-keys-try1/db.key --cert /root/efi-keys-try1/db.crt --output ./kernel-$KVER-signed.efi ./kernel-$KVER.efi && mount /boot/efi && \ |
| | cp ./kernel-$KVER-signed.efi /boot/efi/ && echo -e "title Gentoo Linux signed\nversion $KVER\nlinux /kernel-$KVER-signed.efi" > /boot/efi/loader/entries/gentoo-$KVER.conf |
| </code> | </code> |
| |