Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
uefi_secure_boot [2017/11/08 11:05]
brot
uefi_secure_boot [2018/03/05 13:49] (current)
Line 73: Line 73:
  
 #create new keys - save the passwords somewhere save, and create a backup of the keys. #create new keys - save the passwords somewhere save, and create a backup of the keys.
-openssl req -new -x509 -newkey rsa:2048 -subj "/​CN=brot PK/" -keyout PK.key -out PK.crt -days 3650 -nodes ​-sha256 +openssl req -new -x509 -newkey rsa:2048 -subj "/​CN=brot PK/" -keyout PK.key -out PK.crt -days 3650 -sha256 
-openssl req -new -x509 -newkey rsa:2048 -subj "/​CN=brot KEK/" -keyout KEK.key -out KEK.crt -days 3650 -nodes ​-sha256 +openssl req -new -x509 -newkey rsa:2048 -subj "/​CN=brot KEK/" -keyout KEK.key -out KEK.crt -days 3650 -sha256 
-openssl req -new -x509 -newkey rsa:2048 -subj "/​CN=brot DB/" -keyout db.key -out db.crt -days 3650 -nodes ​-sha256 ​+openssl req -new -x509 -newkey rsa:2048 -subj "/​CN=brot DB/" -keyout db.key -out db.crt -days 3650 -sha256 ​
  
 #get current state of the key-databases #get current state of the key-databases
Line 153: Line 153:
 === Creating new kernel === === Creating new kernel ===
 Now, with Secure Boot working, we want a faster method of creating new kernels and signing those. I use the following command line to generate new kernels. Now, with Secure Boot working, we want a faster method of creating new kernels and signing those. I use the following command line to generate new kernels.
 +
  
 <code bash> <code bash>
-export KVER=`make kernelversion` && make -j6 && make modules_install && dracut ./​initramfs.img --force --no-compress -H $KVER --omit "​i18n"​ --add-drivers i915 && cp /​proc/​cmdline ./​cmdline.txt && objcopy --add-section .osrel=/​etc/​os-release --change-section-vma .osrel=0x20000 --add-section .cmdline="​./​cmdline.txt"​ --change-section-vma .cmdline=0x30000 --add-section .linux="​./​arch/​x86/​boot/​bzImage"​ --change-section-vma .linux=0x40000 --add-section .initrd="​./​initramfs.img"​ --change-section-vma .initrd=0x3000000 /​usr/​lib/​systemd/​boot/​efi/​linuxx64.efi.stub kernel-$KVER.efi && sbsign --key /​root/​efi-keys-try1/​db.key --cert /​root/​efi-keys-try1/​db.crt --output ./​kernel-$KVER-signed.efi ./​kernel-$KVER.efi && mount /boot/efi && cp ./​kernel-$KVER-signed.efi /boot/efi/+export KVER=`make kernelversion` && make -j6 && make modules_install && dracut ./​initramfs.img --force --no-compress -H $KVER --omit "​i18n"​ --add-drivers i915 && ​
 +cp /​proc/​cmdline ./​cmdline.txt && objcopy --add-section .osrel=/​etc/​os-release --change-section-vma .osrel=0x20000 --add-section .cmdline="​./​cmdline.txt" ​
 +--change-section-vma .cmdline=0x30000 --add-section .linux="​./​arch/​x86/​boot/​bzImage"​ --change-section-vma .linux=0x40000 --add-section .initrd="​./​initramfs.img" ​
 +--change-section-vma .initrd=0x3000000 /​usr/​lib/​systemd/​boot/​efi/​linuxx64.efi.stub kernel-$KVER.efi && ​
 +sbsign --key /​root/​efi-keys-try1/​db.key --cert /​root/​efi-keys-try1/​db.crt --output ./​kernel-$KVER-signed.efi ./​kernel-$KVER.efi && mount /boot/efi && ​
 +cp ./​kernel-$KVER-signed.efi /​boot/​efi/ ​&& echo -e "​title ​     Gentoo Linux signed\nversion ​   $KVER\nlinux ​     /​kernel-$KVER-signed.efi"​ > /​boot/​efi/​loader/​entries/​gentoo-$KVER.conf
 </​code>​ </​code>​
  
uefi_secure_boot.txt · Last modified: 2018/03/05 13:49 (external edit)
CC Attribution-Noncommercial-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0